TLJH upgrade breaks ldapauthenticator

fcy · October 28, 2024, 7:52pm

I tried to upgrade my TLJH instance today, per Upgrade TLJH — The Littlest JupyterHub documentation. No errors or warnings appeared when running the upgrade program, but now the jupyterhub service fails to start, reporting this problem:

ValueError: LDAPAuthenticator requires either lookup_dn or bind_dn_template to be configured

My (slightly redacted) /opt/tljh/config/config.yaml file looks like this:

users:
  admin:
  - jhadmin
https:
  enabled: true
  tls:
    key: /usr/local/etc/ssl/private/wildcard_example.edu.key
    cert: /usr/local/etc/ssl/certs/STAR_example_edu.crt
auth:
  type: ldapauthenticator.LDAPAuthenticator
  LDAPAuthenticator:
    server_address: ldap.example.edu
    bind_dn_template: ['uid={username},ou=Staff,ou=People,dc=example,dc=edu', 'uid={username},ou=Students,ou=People,dc=example,dc=edu']
    allowed_groups: ['cn=jupyter,ou=Groups,dc=example,dc=edu', 'cn=math,ou=Groups,dc=example,dc=edu',
      'cn=sysadmin,ou=Groups,dc=example,dc=edu']
    use_ssl: true
limits:
  memory: 400G

tljh-config show does not report any validation error.

What should I do?

fcy · October 28, 2024, 7:58pm

I did create a jupyterhub_config.py file in /opt/tljh/config/jupyterhub_config.d with this:

c.JupyterHub.authenticator_class = 'ldap'

but it made no difference.

I’ve read over ldapauthenticator/CHANGELOG.md at dde10a80ed35d64d7d41895e2d0d54c616fcf00a · jupyterhub/ldapauthenticator · GitHub and can’t work out what I might need to change. I know the use_ssl parameter is deprecated, but setting tls_strategy instead makes no difference in the fatal error above.

manics · October 28, 2024, 9:25pm

It sounds like the LDAP configuration isn’t being picked up for some unknown reason. Can you turn on debug logging and show us your full hub logs?

fcy · October 28, 2024, 10:09pm

I added the following to my config.yaml, but I don’t then see any additional log output or log files. Am I doing it wrong?

debug:
  enabled: true

I’ve tried running both under systemctl as a service (as installed) and from the command line. When running as a service I watched journalctl output.

fcy · October 28, 2024, 10:32pm

When I run under strace I can see /opt/tljh/config/config.yaml being opened. If I introduce a typo in the config.yaml content I see a corresponding warning in the python output. So I’m sure it’s reading the file.

mahendrapaipuri · October 29, 2024, 8:45am

This is actually a bug introduced in this commit. The LDAP authenticator is ignoring bind_dn_template when it is a list.

I wrote a quick PR to fix it. @manics Could you take a look at it please?

Cheers!

manics · October 29, 2024, 5:20pm

2.0.1 has been released!

fcy · October 29, 2024, 7:04pm

That’s great! Thanks for the prompt action. Will I get that new version of ldapauthenticator if I do the upgrade from scratch again? Or is there some other procedure for getting that version with the fix?

consideRatio · November 1, 2024, 4:09pm

Redoing the upgrade works, or you can update the version of ldapauthenticator within the hub python evironment and restart jupyterhub

Topic		Replies	Views
Trying to get LDAP working JupyterHub	6	54	October 9, 2024
Jupyterhub & ldap JupyterLab	0	697	October 1, 2020
ldap3.core.exceptions.LDAPStartTLSError Zero to JupyterHub on Kubernetes	6	2999	May 7, 2021
LDAPAuthentication Error The Littlest JupyterHub help-wanted	5	59	September 5, 2024
Problem with SSH Authenticator for JupyterHub JupyterHub	0	437	November 17, 2021

TLJH upgrade breaks ldapauthenticator

Related topics