Starting single-user notebook with our custom ldap docker image

maverick · April 26, 2019, 7:39am

Hi,

We are having some problems because our user homes are in a NFS storage and, for them to write there their work, we need to “impersonate” them. On regular machines we are using LDAP (with TLS, PAM and SSSD) to authenticate the users, and so is jupyter-hub.

We are using Kubernetes -> z2jh and a Docker image based on the notebook single-user image with all the necessary files and packages to connect to LDAP.

The idea we originally had was using the variable ‘{username}’ and modify the “start.sh” script, so once we had the real $NB_USER we could set up $NB_UID, $NB_GID and so on. We created a docker container where we could copy the necessary files (I know it would be better to binding them on the host) and we did, but we have to keep running SSSD in the background for the container to be able to connect to LDAP.

[jovyan@jupyter-rcruz ~]$ id rcruz
uid=63200(rcruz) gid=50030(x) groups=50030(x),1405(x),1403(x)

Before having to add supervisord or something similar to run SSSD as a background process, we would like to know if there is a better/easier way to impersonate the user that logged into jupyter hub. For instance, using token id login from hub or something else?

We don’t discard adding to /etc/passwd the user with its username, UID and GID, but we don’t know if we can get that from the login in jupyterhub.

Thanks in advance!

manics · April 26, 2019, 7:50am

Is the only requirement to write to NFS as the logged in LDAP user? Would it be sufficient to run Jupyter as that UID?

maverick · April 26, 2019, 7:54am

Yes, every single user should be able to write on that NFS with its own UID.

manics · April 26, 2019, 9:57am

I’ve done this before. It requires this change to the LDAPAuthenticator.

You can then configure JupyterHub to extract the required LDAP attributes (username, UID), and pass them to the singleuser server by setting appropriate environment variables. If you start the singleuser server as root it will switch to that UID, which means it should be able to write to NFS as that user. I’ve written up some brief instructions:

gist.github.com

https://gist.github.com/manics/c4bcf53a210d444db9e64db7673e8580

README.md

# JupyterHub LDAP user id example

This is an example of configuring the [JupyterHub helm chart](https://github.com/jupyterhub/zero-to-jupyterhub-k8s) to run singleuser servers as an LDAP user.

It requires a modified LdapAuthenticator with this PR: https://github.com/jupyterhub/ldapauthenticator/pull/103.
Either build a custom JupyterHub Docker image with these changes, or define a new class in-line in the Hub configuration as done here.

In addition to the standard LDAPAuthenticator configuration you must set `user_info_attributes` to the properties you want to use which will depend on your LDAP server.
- `{LDAPAuthenticatorInfo or LDAPAuthenticator}.user_info_attributes = ['uid', 'uidNumber']`: in this example `uid` is the username and `uidNumber` is the UID.
- `auth.state` must be configured so the LDAP user properties can be passed to the singleuser server.

This file has been truncated. show original

zero-to-jupyterhub-config.yml

hub:
  cookieSecret: SECRET
  db:
    type: sqlite-memory
  extraConfig: |

    # In-line version of
    # https://github.com/jupyterhub/ldapauthenticator/pull/103

    import re

This file has been truncated. show original

maverick · April 26, 2019, 6:47pm

Wow!. This is exactly what we want.

I’ve problems in order to get group id, but I don’t worry about it right now.

Thanks a lot !!

pazzumpazzutu · July 30, 2019, 2:36pm

Hello @manics,

thanks very much for the changes you made to LDAP Authenticator. They are exactly what I need in my setup to let users access their home folder mounted via NFS.
I am having no luck with setting this up, so maybe you could have some hints.

I am running Jupyterhub 0.9.6 and deploying it with zero-to-jupyterhub-k8s.
Instead of embedding the change in the config file I am installing your fork of LDAP authenticator in the hub container environment. All good until this step.

In my jupyterhub config I embed the following to make sure the uid is propagated to the singleuser container:

class MyLDAPAuthenticator(LDAPAuthenticator):
    @gen.coroutine
    def pre_spawn_start(self, user, spawner):
        auth_state = yield user.get_auth_state()
        self.log.error('pre_spawn_start auth_state:%s' % auth_state)
        if not auth_state:
            return
        # setup environment
        spawner.environment['NB_UID'] = str(
            auth_state['uidNumber'][0])
        spawner.environment['NB_USER'] = auth_state['uid'][0]

and this to select the authentication method:

c.JupyterHub.authenticator_class = 'MyLDAPAuthenticator'
c.LDAPAuthenticator.server_address = get_config('auth.ldap.server.address')
c.LDAPAuthenticator.user_info_attributes = ['uid', 'uidNumber']
set_config_if_not_none(c.LDAPAuthenticator, 'server_port', 'auth.ldap.server.port')
set_config_if_not_none(c.LDAPAuthenticator, 'use_ssl', 'auth.ldap.server.ssl')
set_config_if_not_none(c.LDAPAuthenticator, 'allowed_groups', 'auth.ldap.allowed-groups')
c.LDAPAuthenticator.bind_dn_template = get_config('auth.ldap.dn.templates')
set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn', 'auth.ldap.dn.lookup')
set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_filter', 'auth.ldap.dn.search.filter')
set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_user', 'auth.ldap.dn.search.user')
set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_search_password', 'auth.ldap.dn.search.password')
set_config_if_not_none(c.LDAPAuthenticator, 'lookup_dn_user_dn_attribute', 'auth.ldap.dn.user.dn-attribute')
set_config_if_not_none(c.LDAPAuthenticator, 'escape_userdn', 'auth.ldap.dn.user.escape')
set_config_if_not_none(c.LDAPAuthenticator, 'valid_username_regex', 'auth.ldap.dn.user.valid-regex')
set_config_if_not_none(c.LDAPAuthenticator, 'user_search_base', 'auth.ldap.dn.user.search-base')
set_config_if_not_none(c.LDAPAuthenticator, 'user_attribute', 'auth.ldap.dn.user.attribute')

However at hub startup I get the following error:

[C 2019-07-30 14:17:00.347 JupyterHub application:90] Bad config encountered during initialization:
[C 2019-07-30 14:17:00.347 JupyterHub application:91] The 'authenticator_class' trait of <jupyterhub.app.JupyterHub object at 0x3fffb082af98> instance must be a type, but 'MyLDAPAuthenticator' could not be imported

Any Idea why this is happening? I really can’t see why the MyLDAPAuthenticator cannot be found at hub instantiation time.

Any help or suggestion is highly appreciated.

Thanks in Advance,

Christian

manics · July 30, 2019, 5:06pm

Try removing the quotes:

c.JupyterHub.authenticator_class = MyLDAPAuthenticator

pazzumpazzutu · July 31, 2019, 12:14pm

Hi @manics,

I solved by embedding the pre_spawn_start directly in the main LDAPAuthenticator class.
It works perfectly now.

Thanks

Atul_Yadav · June 16, 2020, 8:26am

Hi,

Please share the dockerfile and config.yaml to replicate the same environment.
We are also having the same requirement.

Thank You
Atul

gdelris · March 22, 2023, 4:09pm

Hi @manics
I have this same problem and I don’t know how to solve it, I’m new to this type of implementation.
Why when I log in authenticating against ldap, the user is not created? On the other hand, why is “jovyan” set and not the ldap user id, and why does it look like this?

Thank you for helping me, I need it to be as follows:
gdelris@jupyter-gdelris

This is mi config.yaml, It works for authentication:
hub:
config:
Authenticator:
enable_auth_state: true
JupyterHub:
authenticator_class: ldapauthenticator.LDAPAuthenticator
LDAPAuthenticator:
server_address: 10.72.134.241
server_port: 389
lookup_dn: true
auth_state_attributes: [uidNumber,gidNumber,uid]
lookup_dn_search_user:
lookup_dn_search_password:
user_search_base: ou=Usuarios,dc=ambientesbc,dc=lab
user_attribute: sAMAccountName
lookup_dn_user_dn_attribute: cn
escape_userdn: false
create_user_home_dir: True
create_user_home_dir_cmd: mkhomedir_helper

scheduling:
userScheduler:
enabled: false

singleuser:
defaultUrl: “/lab”

THANKS A LOTTTTTTTTTTT

Topic		Replies	Views
KubeSpawner and LDAPauthentication run under users LDAP UID Zero to JupyterHub on Kubernetes help-wanted	8	3417	May 31, 2023
LDAPAuthenticator - keep same UID and GID numbers in the user docker container JupyterHub jupyterhub , how-to , help-wanted , notebook	1	1454	April 24, 2022
JupyterHub SwarmSpawner with NFS persisent storage - is this expected to work? JupyterHub how-to , help-wanted	1	1140	June 25, 2021
Starting userldap id instead "jovyan" Zero to JupyterHub on Kubernetes jupyterhub , how-to , help-wanted	3	1113	April 6, 2023
Pod Security Context Zero to JupyterHub on Kubernetes	3	1938	August 23, 2019

Starting single-user notebook with our custom ldap docker image

Related topics