JupyterHub + system SSSD authentication not working

I’m trying to set up LDAP / Active Directory integration and we have SSSD working properly on the host system (Ubuntu 22.04).

SSSD properly handles authentication controls and filtering of users who aren’t in the proper auth groups, however when attempting to sign in as an LDAP/AD user on JupyterHub’s login page (once set by TLJH), it simply says Invalid user/password.

I’m not even seeing this being passed to PAM for authentication, is there a config option I have to make sure is set to use the PAM/SSSD authentication in JupyterHub? Or is this known to be broken?

(No, this is not in a Docker instance, this is on a single system itself where we have root access).

NOTE: We have a temporary workaround in place by using sshauthenticator.SSHAuthenticator for the auth mechanism, as SSH passes the auth to LDAP.

I’d love to be able to use straight PAM that should be in-built to work with this though.

What user is the Hub running as? If you get a simple username invalid, it might be a permission issue where the Hub process itself doesn’t have sufficient permission to check auth for other users.

PAMAuthenticator uses the pam_authenticate call to authenticate, which has seemed reliable when it has the necessary permission. PAM sessions, on the other hand, are known to not be implemented correctly, and are off by default as a result. Correct handling of PAM sessions is important to some PAM integrations, so that might be relevant, but I’m guessing from your description you aren’t getting that far.

Yeah it might be permissions. JupyterHub runs as a more or less unprivileged user right now. I’ll poke it going forward but as we have a workaround (using localhost SSH authentication which leverages PAM/SSSD anyways) that meets our needs currently.