Allow configuring ldap3's TLSObject/SSLContext

[maziyarpanahi]

Hi,

My OpenLDAP is only accessible through SSL (636). On linux machines I simply add the following to "/etc/ldap/ldap.conf":

TLS_CACERT /etc/ldap/ca_certs.pem

This lets me communicate to my LDAP server over SSL and lets users to SSH to the machine easily.

Now the problem in ldapauthenticator, I have these configs:

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldaps://myLdapServer'
c.LDAPAuthenticator.user_attribute = 'uid'
c.LDAPAuthenticator.bind_dn_template = 'uid={username},ou=People,dc=domain,dc=com'

Since there is no place to mention TLS file I am assuming it uses the system LDAP config. I can connect to LDAP server (accepted), it shows the right bind_dn but it shows this error:

JupyterHub ldapauthenticator:154] Invalid password for user uid=myUserName,ou=People,dc=domain,dc=com

And on the LDAP server it gives me:

RESULT tag=97 err=49 text=

Is it right to assume there is a SSL problem? How can I solve this issue.

Many thanks.

[danroliver]

c.LDAPAuthenticator.user_attribute = 'uid' is not needed unless c.LDAPAuthenticator.lookup_dn = True, so you can safely remove that line.

I suggest sshing into the server that is doing the authentication, doing a sudo apt-get install ldap-utils and then running an ldapsearch using the -v for verbose output to check your settings. You would use ldapsearch -v -H "ldaps://myldapserver.edu:636" -b "ou=People,dc=domain,dc=com" "uid=testUsername" If search requires authentication, pass the -W parameter for ldapsearch to prompt you for credentials. On my end, I found that I had a parameter miskeyed in the template. I was missing an ou.

[dhirschfeld]

It seems this may require configuring a custom SSLContext http://ldap3.readthedocs.io/ssltls.html#sslcontext