We have multi-factor authentication configured with our LDAP provider. This ldapauthentcator plugin works perfectly out of the box for me except for the fact that it results in two separate MFA push notifications to the user for every login.

Specifically, I found that ldapauthenticator.py->authenticate(), call get_connection() which in turn calls ldap3.Connection() with auto_bind set. So, bind() is called which triggers an MFA push to the user.

Then, right after that in authenticate(), conn.bind() is called again which triggers another DUO push.

Just as a test, I modified the logic that sets auto_bind to:

auto_bind=ldap3.AUTO_BIND_NONE

And it worked with only a single MFA push.

I'd like to avoid the double-push, but I'm not really sure of the implications of changing the auto_bind logic for other users of this library. I may submit a PR at some point.

My environment:

• I'm using the-littlest-jupyterhub (version noted below).
• FoxPass is our LDAP provider.
• DUO is our MFA provider tied to FoxPass.

Versions:

(hub) .../opt/tljh/hub/bin$ pip freeze | grep -i jupyter
jupyterhub==1.0.0
jupyterhub-dummyauthenticator==0.3.1
jupyterhub-firstuseauthenticator==0.12
jupyterhub-ldapauthenticator==1.2.2
jupyterhub-nativeauthenticator==0.0.4
jupyterhub-systemdspawner==0.13
jupyterhub-tmpauthenticator==0.6
jupyterhub-traefik-proxy==0.1.3
the-littlest-jupyterhub==0.1

the-littlest-jupyterhub configuration file with redactions:

https:
  enabled: true
  tls:
    key: /etc/ssl/private/some_private_key.key
    cert: /etc/ssl/certs/some_cert.crt

auth:
  type: ldapauthenticator.LDAPAuthenticator
  LDAPAuthenticator:
    server_address: ldaps://ldap.foxpass.com
    use_ssl: true
    bind_dn_template: ['uid={username},ou=people,dc=some_dc,dc=com']
    admin_users: ['some.user', 'some.other.user']