[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLJH + ldapauthenticator against Active Directory #136

Open
jasmeralia opened this issue Aug 8, 2019 · 1 comment
Open

TLJH + ldapauthenticator against Active Directory #136

jasmeralia opened this issue Aug 8, 2019 · 1 comment

Comments

@jasmeralia
Copy link

I previously got some help on #130 that solved the problem I was facing at the time. However, when I went to deploy out to our internal development environment (versus the VM setup I had on my local system), I hit a snag.

My TLJH config is as so:

auth:
  type: ldapauthenticator.LDAPAuthenticator
  LDAPAuthenticator:
    server_address: 10.50.194.10
    lookup_dn: true
    lookup_dn_search_filter: ({login_attr}={login})
    lookup_dn_search_user: CN=Service Account LDAP Auth,OU=Service Accounts,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
    lookup_dn_search_password: REDACTED
    lookup_dn_user_dn_attribute: CN
    bind_dn_template: CN={username},OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
    user_search_base: OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
    user_attribute: sAMAccountName
    use_lookup_dn_username: true
    escape_userdn: false
    server_port: 389
users:
  admin:
  - nclemons
  - rmallick
  - sshah
  - tkidd

This fails to authenticate users like myself when I try to log in with the following error message:

Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.889 JupyterHub ldapauthenticator:299] TYPE= 'False'
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.889 JupyterHub ldapauthenticator:223] Looking up user with search_base=OU=DAPPUsers,DC=dapp,DC=moxie,DC=local, search_filter='(sAMAccountName=nclemons)', attributes=sAMAccountName
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.941 JupyterHub ldapauthenticator:278] Attempting to bind nclemons with CN=Nathan Clemons,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [D 2019-08-08 20:52:20.942 JupyterHub ldapauthenticator:333] Status of user bind nclemons with CN=Nathan Clemons,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local : False
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]:     LDAPBindError: automatic bind not successful - invalidCredentials
Aug 08 20:52:20 ip-10-50-194-182 python3[17747]: [W 2019-08-08 20:52:20.942 JupyterHub ldapauthenticator:379] Invalid password for user nclemons

This is because the full path for my user account is actually CN=Nathan Clemons,OU=MCS,OU=Users,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local instead of CN=Nathan Clemons,OU=DAPPUsers,DC=dapp,DC=moxie,DC=local. But I can't set the template to the MCS OU because some of the non-admin users will be in another OU (ENG in this case). I verified this in my VM setup by creating an OU underneath what I was setting the base and template to, and it failed after I moved my test account into that new OU.

I am suspecting that the problem is not with my user_search_base, but instead is with my bind_dn_template, since it does appear that it's successfully finding my account since it's managed to look up my full name from the username. Is there another macro that I can use in the bind_dn_template to pass the full OU path to the retrieved user account?
@dhirschfeld
Copy link
Collaborator

The bind_dn_template can be a list of templates to try - if one works the the user is authenticated. So just pass a template for each of the possible variations of allowed users

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jasmeralia @dhirschfeld