LDAP query syntax to search more than one specific OU #111

ponomarevsy · 2018-10-17T15:31:33Z

Dear Jupyterhub developers,

Is there a way to LDAP query more than one specific OU from inside the Jupyterhub config file?

Since some user accounts are under Users (~5000 people) and some are under Users-dir (~900 people) we need to find a way to fetch user information for both OUs. Is there a way to do it?

It works for either "OU=Users" or "OU=Users-dir" separately but I am not sure about both at the same time?

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldapserver'
c.LDAPAuthenticator.bind_dn_template = 'CN={username},OU=Users,...'

or

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldapserver'
c.LDAPAuthenticator.bind_dn_template = 'CN={username},OU=Users-dir,...'

Thank you so much in advance!

The text was updated successfully, but these errors were encountered:

ponomarevsy · 2018-10-17T20:36:11Z

I just found this example (https://github.com/jupyterhub/ldapauthenticator):

c.LDAPAuthenticator.bind_dn_template = [
    "uid={username},ou=people,dc=wikimedia,dc=org",
    "uid={username},ou=developers,dc=wikimedia,dc=org",
]

But it produces:

traitlets.traitlets.TraitError: The 'bind_dn_template' trait of a LDAPAuthenticator instance must be a unicode string, but a value of ['uid={username},ou=people,dc=wikimedia,dc=org', 'uid={username},ou=developers,dc=wikimedia,dc=org'] <class 'list'> was specified.

I've also tried this:

c.LDAPAuthenticator.bind_dn_template = str([
    "uid={username},ou=people,dc=wikimedia,dc=org",
    "uid={username},ou=developers,dc=wikimedia,dc=org",
])

The unicode string error disappears but LDAP authentication fails (I've changed my binding string to your example case):

[W 2018-10-17 16:30:05.772 JupyterHub ldapauthenticator:154] Invalid password for user ['uid=username,ou=people,dc=wikimedia,dc=org', 'uid=username,ou=developers,dc=wikimedia,dc=org']

I am using Jupyterhub version 0.7.2. Any ideas/suggestions (I would prefer not to upgrade Jupyterhub, - it was a pain to set it up...)? Thank you!

ponomarevsy · 2018-10-17T21:17:15Z

And "jupyterhub-ldapauthenticator" version is 1.1. Do you think updating "jupyterhub-ldapauthenticator" would help? Thanks!

minrk · 2018-11-23T14:54:56Z

I do! It's always a good idea to be sure you are up-to-date with both jupyterhub and the authenticator. It's also best to open issues with ldapauthenticator on the ldapauthenticator repo. I've migrated this one.

ponomarevsy · 2018-11-23T15:35:59Z

Thanks, Min. Sorry about the wrong repo...

ponomarevsy · 2018-11-26T16:47:47Z

I fixed the problem by:

Upgrading ldapauthenticator to the latest version
Using "CN={username}," instead of "uid={username},"

So, the correct LDAP entry looks like this (in my case):

c.LDAPAuthenticator.bind_dn_template = [
    "CN={username},ou=people,dc=wikimedia,dc=org",
    "CN={username},ou=developers,dc=wikimedia,dc=org",
]

ponomarevsy · 2018-11-28T22:56:14Z

Can I use both local PAM accounts and LDAP accounts? How do I combine the two in a config file? Thank you in advance.

minrk transferred this issue from jupyterhub/jupyterhub Nov 23, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

LDAP query syntax to search more than one specific OU #111

LDAP query syntax to search more than one specific OU #111

LDAP query syntax to search more than one specific OU #111

LDAP query syntax to search more than one specific OU #111

Comments