Hi everyone,
We are dealing a big issue in using the LDAP plugin authenticator for Jupyterhub: we tried a lot of combinations out to figure out how we should set it to work, i have a working ldapsearch from the same host (please note i redacted every sensible information as requested by the customer)
(hub) [root@xxxx ~]# ldapsearch -vvvv -H “ldap://[domainserver]:389” -b “CN=Users,DC=[exampledomain],DC=[com]” “uid=[searchuser]” -W
ldap_initialize( ldap://[ldapserver]:389/??base )
Enter LDAP Password:
SASL/GSSAPI authentication started
SASL username: [searchuser]@[domainexample.com]
SASL SSF: 64
SASL data security layer installed.
filter: uid=[searchuser]
requesting: All userApplication attributes
extended LDIF
LDAPv3
base <CN=Users,DC=[businessdomain],DC=[domain]> with scope subtree
filter: uid=[searchuser]
requesting: ALL
search result
search: 5
result: 0 Success
numResponses: 1
(hub) [root@XXXX~]#
below my latest ldap configuration, i did a lot of tries since i couldn’t figure out the exact configuration setting i should pass to jupyterhub
cat jupyterhub_config.py|grep LDAP
c.JupyterHub.authenticator_class = ‘ldapauthenticator.LDAPAuthenticator’
c.LDAPAuthenticator.server_address = ‘ldap://ldapserver:389’
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.lookup_dn_search_filter = ‘({login_attr}={login})’
c.LDAPAuthenticator.bind_dn_template = [ “uid={username},CN=Users,DC=domain,DC=com” ]
c.LDAPAuthenticator.debug = True
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = ‘sAMAccountName’
c.LDAPAuthenticator.escape_userdn = True
c.LDAPAuthenticator.use_lookup_dn_username = False
below the rest of properties we left in the file, commented
#c.LDAPAuthenticator.use_lookup_dn_username = True
#c.LDAPAuthenticator.escape_userdn = False
#c.LDAPAuthenticator.bind_dn_template = ‘{username}’
#c.LDAPAuthenticator.lookup_dn_search_user = ‘searchuser’
#c.LDAPAuthenticator.lookup_dn_search_password = ‘userpassword’
#c.LDAPAuthenticator.lookup_dn_user_dn_attribute = ‘CN’
#c.LDAPAuthenticator.lookup_dn_search_user = ‘CN=searchuser,CN=Users,DC=exampledomain,DC=com’
#c.LDAPAuthenticator.user_search_base = ‘CN=Users,DC=domain,DC=com’
#c.LDAPAuthenticator.user_attribute = ‘sAMAccountName’
#c.LDAPAuthenticator.user_attribute = ‘CN’
#c.LDAPAuthenticator.server_port = 636
#c.LDAPAuthenticator.lookup_dn = True
#c.LDAPAuthenticator.allowed_groups = []
At present time, those are all the relevant logs we’re getting
[D 2021-03-12 18:29:12.816 JupyterHub ldapauthenticator:379] Attempting to bind loginuser with uid=searchuser,CN=Users,DC=domain,DC=com
[D 2021-03-12 18:29:12.904 JupyterHub ldapauthenticator:392] Status of user bind searchuser with uid=searchuser,CN=Users,DC=domain,DC=com : False
LDAPBindError: automatic bind not successful - invalidCredentials
Depending on how we change the config, we might get this other error
raise LDAPBindError(error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials
I tried to follow official documentation but no luck in having it working: could you give me some advices on what i’m doing wrong?
Thank you to everyone which could have time to dedicate to me on this
Best regards,
Matteo