LDAP Authentication allowed groups

Hi everybody,

Currently, I am configuring ldap authentication on my z2jh deployment and adding filtering by security group when a user logs in.

This is my configuration yaml:

hub:
   config:
     Authenticator:
       enable_auth_state: true
       environment: 
         USERNAME: "{username}"
     LDAPAuthenticator:
       server_address: my_server_ldap
       server_port: 389
       lookup_dn: true
       auth_state_attributes: ["uid", "cn", "mail", "ou", "o"]
       lookup_dn_search_user: EXAMPLE
       lookup_dn_search_password: *****
       user_search_base: OU=TestOrg,OU=Usuarios,DC=EXAMPLE,DC=LAB
       group_search_base: OU=TestOrg,OU=Grupos,DC=EXAMPLE,DC=LAB
       allowed_groups:
         - CN=MY_SEC_GROUP,OU=TestOrg,OU=Grupos,DC=EXAMPLE,DC=LAB
       user_attribute: sAMAccountName
       lookup_dn_user_dn_attribute: cn
       use_lookup_dn_username: false
       escape_userdn: false
       create_user_home_dir: True
       create_user_home_dir_cmd: mkhomedir_helper

And this a LDAP message when is active my security group filter

[D 2024-05-07 14:06:09.248 JupyterHub <string>:11] Running authenticate hook for user:myuser
[D 2024-05-07 14:06:09.811 JupyterHub ldapauthenticator:256] Looking up user with:
        search_base = 'OU=TestOrg,OU=Usuarios,DC=EXAMPLE,DC=LAB'
        search_filter = '(sAMAccountName=myuser)'
        attributes = 'sAMAccountName'
[D 2024-05-07 14:06:09.812 JupyterHub ldapauthenticator:379] Attempting to bind Pedro Pedro Perez with CN=Pedro Pedro Perez,OU=Administrativos,OU=TestOrg,OU=Usuarios,DC=EXAMPLE,DC=LAB
[D 2024-05-07 14:06:09.977 JupyterHub ldapauthenticator:392] Status of user bind Pedro Pedro Perez with CN=Pedro Pedro Perez,OU=Administrativos,OU=TestOrg,OU=Usuarios,DC=EXAMPLE,DC=LAB : True
[D 2024-05-07 14:06:09.977 JupyterHub ldapauthenticator:431] username:Pedro Pedro Perez Using dn CN=Pedro Pedro Perez,OU=Administrativos,OU=TestOrg,OU=Usuarios,DC=EXAMPLE,DC=LAB
[W 2024-05-07 14:06:09.979 JupyterHub ldapauthenticator:454] username:Pedro Pedro Perez User not in any of the allowed groups
[D 2024-05-07 14:06:09.979 JupyterHub <string>:13] Login result: None
[D 2024-05-07 14:06:09.979 JupyterHub <string>:15] Create kinit_code for user:myuser
[D 2024-05-07 14:06:09.979 JupyterHub <string>:21] Authentication result: None
[W 2024-05-07 14:06:09.979 JupyterHub base:843] Failed login for myuser

What configuration do I need so that my authentication user can log in if he/she belongs to the active directory security group? Is the current configuration sufficient so that when the user’s credentials are queried, the groups associated with the user can also be queried?

Hi all, after several attempts and tests with my team, we found a filter that allows me to perform authentication by LDAPAuthenticator against my Azure AD as long as the user belongs to the security group MY_SEC_GROUP and the configuration is as follows:

hub:
   config:
     Authenticator:
       enable_auth_state: true
       environment: 
         USERNAME: "{username}"
     LDAPAuthenticator:
       server_address: my_server_ldap
       server_port: 389
       lookup_dn: true
       lookup_dn_search_filter: (&(sAMAccountName={login})(memberOf=CN=MY_SEC_GROUP,OU=Group1,OU=TestOrg,OU=Grupos,DC=EXAMPLE,DC=LAB))
       auth_state_attributes: ["uid", "cn", "mail", "ou", "o"]
       lookup_dn_search_user: EXAMPLE
       lookup_dn_search_password: *****
       user_search_base: OU=TestOrg,OU=Usuarios,DC=EXAMPLE,DC=LAB
       user_attribute: sAMAccountName
       lookup_dn_user_dn_attribute: cn
       use_lookup_dn_username: false
       escape_userdn: false
       create_user_home_dir: True
       create_user_home_dir_cmd: mkhomedir_helper

I hope this configuration can be useful for someone who needs it.