Unable to use LDAP authentication Plugin

Hi everyone,

We are dealing a big issue in using the LDAP plugin authenticator for Jupyterhub: we tried a lot of combinations out to figure out how we should set it to work, i have a working ldapsearch from the same host (please note i redacted every sensible information as requested by the customer)

(hub) [root@xxxx ~]# ldapsearch -vvvv -H “ldap://[domainserver]:389” -b “CN=Users,DC=[exampledomain],DC=[com]” “uid=[searchuser]” -W
ldap_initialize( ldap://[ldapserver]:389/??base )
Enter LDAP Password:
SASL/GSSAPI authentication started
SASL username: [searchuser]@[domainexample.com]
SASL SSF: 64
SASL data security layer installed.
filter: uid=[searchuser]
requesting: All userApplication attributes

extended LDIF

LDAPv3

base <CN=Users,DC=[businessdomain],DC=[domain]> with scope subtree

filter: uid=[searchuser]

requesting: ALL

search result

search: 5
result: 0 Success

numResponses: 1

(hub) [root@XXXX~]#

below my latest ldap configuration, i did a lot of tries since i couldn’t figure out the exact configuration setting i should pass to jupyterhub

cat jupyterhub_config.py|grep LDAP

c.JupyterHub.authenticator_class = ‘ldapauthenticator.LDAPAuthenticator’
c.LDAPAuthenticator.server_address = ‘ldap://ldapserver:389’
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.lookup_dn_search_filter = ‘({login_attr}={login})’
c.LDAPAuthenticator.bind_dn_template = [ “uid={username},CN=Users,DC=domain,DC=com” ]
c.LDAPAuthenticator.debug = True
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = ‘sAMAccountName’
c.LDAPAuthenticator.escape_userdn = True
c.LDAPAuthenticator.use_lookup_dn_username = False

below the rest of properties we left in the file, commented
#c.LDAPAuthenticator.use_lookup_dn_username = True
#c.LDAPAuthenticator.escape_userdn = False
#c.LDAPAuthenticator.bind_dn_template = ‘{username}’
#c.LDAPAuthenticator.lookup_dn_search_user = ‘searchuser’
#c.LDAPAuthenticator.lookup_dn_search_password = ‘userpassword’
#c.LDAPAuthenticator.lookup_dn_user_dn_attribute = ‘CN’
#c.LDAPAuthenticator.lookup_dn_search_user = ‘CN=searchuser,CN=Users,DC=exampledomain,DC=com’
#c.LDAPAuthenticator.user_search_base = ‘CN=Users,DC=domain,DC=com’
#c.LDAPAuthenticator.user_attribute = ‘sAMAccountName’
#c.LDAPAuthenticator.user_attribute = ‘CN’
#c.LDAPAuthenticator.server_port = 636
#c.LDAPAuthenticator.lookup_dn = True
#c.LDAPAuthenticator.allowed_groups = []

At present time, those are all the relevant logs we’re getting
[D 2021-03-12 18:29:12.816 JupyterHub ldapauthenticator:379] Attempting to bind loginuser with uid=searchuser,CN=Users,DC=domain,DC=com
[D 2021-03-12 18:29:12.904 JupyterHub ldapauthenticator:392] Status of user bind searchuser with uid=searchuser,CN=Users,DC=domain,DC=com : False
LDAPBindError: automatic bind not successful - invalidCredentials

Depending on how we change the config, we might get this other error
raise LDAPBindError(error)
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials

I tried to follow official documentation but no luck in having it working: could you give me some advices on what i’m doing wrong?

Thank you to everyone which could have time to dedicate to me on this
Best regards,
Matteo

I’m facing the same issue.
Using the same parameters I was able to integrate users to Gitlab

When I use lookup_dn = False I get ‘Invalid password for user

c.LDAPAuthenticator.lookup_dn = False
c.LDAPAuthenticator.server_address = 'ldap://172.16.1.20'
c.LDAPAuthenticator.server_port = 389
c.LDAPAuthenticator.bind_dn_template = 'cn={username},ou=Users,dc=some,dc=where'

When I use lookup_dn = True I get ‘ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials

c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.server_address = 'ldap://ldaphost'
c.LDAPAuthenticator.server_port = 389
c.LDAPAuthenticator.bind_dn_template = 'cn={username},dc=some,dc=where'
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'ldapuser'
c.LDAPAuthenticator.lookup_dn_search_password = 'ldappwd'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'sAMAccountName'
c.LDAPAuthenticator.user_search_base = 'dc=some,dc=where'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.allowed_groups = []

Am I missing something?