Not able to login to Airflow using LDAP and unable to debug ldap_auth

[chandimsett]

Hi,

I am not able to login to Airflow server with LDAP authentication. I manually checked the ldap_auth.py code and was able to login by this function ldap_auth.LdapUser.try_login(username,password). Hence my ldap server and the users are connected properly. However I am not able to debug the ldap_auth code in real time which gets fired from the Airflow UI. I have checked my configurations for LDAP server and everything looks good. Can anyone tell why it is not logging in, or help me how to debug the code in real time.

Thanks

[mceg]

Hi,

I am seeing the same issue, seems to be related to Airflow version - 1.10.1 . I am trying to force errors with non sense ldap bind values and I get 0 logs. When I revert version to 1.9 I do get ldap errors. Still debugging.

[mceg]

Appears to be related to RBAC. When RBAC is enabled, authentication falls back to password authentication. When it is off, whole UI is different and authentication is done with LDAP.

Looking into code it appears that to get LDAP auth working in new versions you have to write a custom security manager that extends AirflowSecurityManager.

To use LDAP auth, revert to version 1.9 or disable RBAC on 1.10.0 or 1.10.1. From the state of airflow master branch it looks like 1.10.2 will only be supporting custom security manager.

[dstroyrofworlds]

I have RBAC with company's LDAP working on 1.10.0.

I had to create a patch however to get it working.

--- old_manager.py      2018-11-28 07:06:55.588082908 +0000
+++ manager.py  2018-11-28 07:09:17.821087810 +0000
@@ -631,8 +631,8 @@
             log.debug("LDAP bind with: {0} {1}".format(username, "XXXXXX"))
             if self.auth_ldap_username_format:
                 username = self.auth_ldap_username_format % username
-            if self.auth_ldap_append_domain:
-                username = username + '@' + self.auth_ldap_append_domain
+#            if self.auth_ldap_append_domain:
+#                username = username + '@' + self.auth_ldap_append_domain
             con.bind_s(username, password)
             log.debug("LDAP bind OK: {0}".format(username))
             return True
@@ -822,7 +822,7 @@
             permissions = role.permissions
             if permissions:
                 for permission in permissions:
-                    if (view_name == permission.view_menu.name) and (permission_name == permission.permission.name):
+                    if permission.view_menu and (view_name == permission.view_menu.name) and permission.permission and (permission_name == permission.permission.name):
                         return True
         return False

Patch it like so: patch /usr/local/lib/python3.5/site-packages/flask_appbuilder/security/manager.py /manager.patch

I am not sure if this will solve your problem.

I have also just tried to upgrade to 1.10.2, but that does not work even with patch.

Getting error just above my patch on manager.py:820.

[sirVir]

I also had problems with making LDAP work with 1.10.1.2 and 1.10.2. It turned out that I needed to configure app.cofnig:

authenticate = False
rbac = True

You need to put the actual configuration for RBAC into webserver_config.py.

[dispensable]

After 3 hours struggle I found this link to set LDAP + RBAC in airflow: https://itsecureadmin.com/2019/02/apache-airflow-1-10-2-active-directory-authentication-via-ldaps/

[anpjai]

Hi Were you able to use this ldap with rbac. I tried above steps.Can anyone you tell if the above linked worked for you

[manel00]

Do you know the same solution but for 2.X? cannot see any information