[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuring SSL #49

Open
maziyarpanahi opened this issue Aug 31, 2017 · 2 comments · May be fixed by #87
Open

Allow configuring SSL #49

maziyarpanahi opened this issue Aug 31, 2017 · 2 comments · May be fixed by #87
Labels
feature-request

Comments

@maziyarpanahi
Copy link

Hi,

My OpenLDAP is only accessible through SSL (636). On linux machines I simply add the following to "/etc/ldap/ldap.conf":

TLS_CACERT /etc/ldap/ca_certs.pem

This lets me communicate to my LDAP server over SSL and lets users to SSH to the machine easily.

Now the problem in ldapauthenticator, I have these configs:

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldaps://myLdapServer'
c.LDAPAuthenticator.user_attribute = 'uid'
c.LDAPAuthenticator.bind_dn_template = 'uid={username},ou=People,dc=domain,dc=com'

Since there is no place to mention TLS file I am assuming it uses the system LDAP config. I can connect to LDAP server (accepted), it shows the right bind_dn but it shows this error:

JupyterHub ldapauthenticator:154] Invalid password for user uid=myUserName,ou=People,dc=domain,dc=com

And on the LDAP server it gives me:

RESULT tag=97 err=49 text=

Is it right to assume there is a SSL problem? How can I solve this issue.

Many thanks.
@danroliver
Copy link

c.LDAPAuthenticator.user_attribute = 'uid' is not needed unless c.LDAPAuthenticator.lookup_dn = True, so you can safely remove that line.

I suggest sshing into the server that is doing the authentication, doing a sudo apt-get install ldap-utils and then running an ldapsearch using the -v for verbose output to check your settings. You would use ldapsearch -v -H "ldaps://myldapserver.edu:636" -b "ou=People,dc=domain,dc=com" "uid=testUsername"
If search requires authentication, pass the -W parameter for ldapsearch to prompt you for credentials. On my end, I found that I had a parameter miskeyed in the template. I was missing an ou.

@dhirschfeld dhirschfeld changed the title Issue with LDAPS Allow configuring SSL Jun 7, 2018
@dhirschfeld
Copy link
Collaborator

It seems this may require configuring a custom SSLContext
http://ldap3.readthedocs.io/ssltls.html#sslcontext

@dhirschfeld dhirschfeld mentioned this issue Jun 7, 2018
Closed
@dhirschfeld dhirschfeld linked a pull request Jun 20, 2018 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added tls certs and keys settings ChileanVirtualObservatory/ldapauthenticator
3 participants
@dhirschfeld @maziyarpanahi @danroliver