LDAPAuthentication Error

JupyterHub The Littlest JupyterHub
1

I have a fresh Debian image and trying to install TLJH. I copied my config file below. I set it with statements like sudo tljh-config set auth.LDAPAuthenticator.server_address [REDACTED]. When I try to log in with LDAP credentials, there is a 60 second timeout. I confirmed my credentials are correct with ldapsearch as well as other services. I also tried having an admin creating the user first and then signing in with LDAP credentials.

Is there an easier way to debug this type of an error without the 60 second timeout?

users:
  admin:
  - admin
auth:
  LDAPAuthenticator:
    server_address: [REDACTED]
    server_port: 389
    bind_dn_template: '["CN={username},OU=[REDACTED],DC=[REDACTED],DC=[REDACTED]"]'
    lookup_dn: false
    user_search_base: OU=[REDACTED],DC=[REDACTED],DC=[REDACTED]
    user_attribute: sAMAccountName
    lookup_dn_search_filter: ({login_attr}={login})
    lookup_dn_search_user: CN=[REDACTED],OU=[REDACTED],DC=[REDACTED],DC=[REDACTED]
    lookup_dn_search_password: [REDACTED]
    use_ssl: false
2

Could you try with bind_dn_template without []? Like bind_dn_template: "CN={username},OU=[REDACTED],DC=[REDACTED],DC=[REDACTED]"

1 Like
3

Thanks for the suggestion! Unfortunately, it didn’t work.

Do I need to have the user created by an admin before logging in for the first time? (For example, successfully logging into Apache Airflow with LDAP will create a new user in the database). If there is no user, I get an authentication error. If the user exists, I can successfully log in but with any password I type in.

4

Yes, LDAPAuthenticator will not create users in LDAP directory if not found. You should have the users created beforehand.

5

Thank you. That makes sense but I am running into an issue where the admin creates the user but the user can log in with any password the first time, not just the LDAP password.

6

That sounds more like the issue with LDAP config. The authenticator itself attempts to make a connection with the provided credentials. You can test it by using ldapsearch to make a bind for a newly created user with any password to make sure that the problem lies with LDAP server.