Hi! I’ve just configured a 4x Nvidia A6000 Oracle Linux server 9. Initially, the access was meant to be done by SSH only. So, I connected the server to an IPA authentication server that I already had. Now, at least for some users, there is the need of using JupyterHUB, which I also configured, but I would like the users to authenticate to the IPA server instead of creating local accounts. Is this possible? Thanks!
Dont have a lot of experience with IPA but a quick search for JupyterHub authenticators based on IPA returned nothing. I guess you will have to write your own authenticator to authenticate against the IPA server.
to authenticate to the IPA server instead of creating local accounts
Not sure what do you mean by this. If your users will have SSH access, I guess you will need to create local accounts for them?
1 Like
Thanks for the reply. Yes, IPA is not mentioned in JupyterHUB authenticators. I was hoping someone could point me to a solution.
Right now, users have SSH access, but even when I create access to them using the admin web page, they can not login no jupyterhub (as expected, I think.)
I’ve found:
1 Like
OK, so I’m able to authenticate to the IPA server as a LDAP authenticator.
c.JupyterHub.authenticator_class = ‘ldap’
c.LDAPAuthenticator.server_address = ‘my.server’
c.LDAPAuthenticator.lookup_dn = False
c.LDAPAuthenticator.bind_dn_template = [
“uid={username},cn=users,cn=accounts,dc=myipa,dc=server”
]
c.LDAPAuthenticator.allowed_groups = [
“cn=mygroup,cn=groups,cn=accounts,dc=myipa,dc=server”
This last part is still not working. A user not belonging to “mygroup” is still able to access. I’ll work on this.
1 Like
Ok so found a custom_authenticator.py file. Not much to do there. I struggled a bit to import it, so I’ve moved it to /opt/jupyterhub/lib/python3.9/site-packages.
To the previous config I added:
from custom_authenticator import CustomAuthenticator (the name of the class defined in the file)
replaced c.JupyterHub.authenticator_class = ‘ldap’ for
c.JupyterHub.authenticator_class = ‘CustomAuthenticator’
and in the end
c.PAMAuthenticator.service = ‘login’
As for filtering the login group, for now I’m not concerned. Since users have to be previously created from the web page, access can be granted that way.
But if someone has clue, it will be appreciated.
Hello,
In one setup, I have a IPA server and the jupyterserver is connected to it via LDAP. I left the default authenticator setting, which is PAM.
Using sudospawner, the access group is managed by the group that is linked to the sudospawner sudo right.