LDAP Config options not recognized by LDAPAuthenticator

[satishagrawal03]

Hi All,

I have configured the parameters as per the instructions to authenticate users using LDAPAuthenticator.
But I am getting few errors while starting JupyterHub and unable to authenticate users. Can anyone please help me on this. Please note LDAP users are not present in the local system nor I wish to create them. Hope it is possible to authenticate users against LDAP without need of user creation in local system. Correct me if am wrong.

JupyterHub startup Logs:

[W 2017-11-29 16:40:17.164 JupyterHub configurable:168] Config option lookup_dn_search_filter not recognized by LDAPAuthenticator.
[W 2017-11-29 16:40:17.165 JupyterHub configurable:168] Config option lookup_dn_search_user not recognized by LDAPAuthenticator. Did you mean lookup_dn?
[W 2017-11-29 16:40:17.165 JupyterHub configurable:168] Config option lookup_dn_search_password not recognized by LDAPAuthenticator.
[W 2017-11-29 16:40:17.165 JupyterHub configurable:168] Config option lookup_dn_user_dn_attribute not recognized by LDAPAuthenticator. Did you mean user_attribute?
[W 2017-11-29 16:40:17.166 JupyterHub configurable:168] Config option escape_userdn not recognized by LDAPAuthenticator.
[W 2017-11-29 16:40:17.166 JupyterHub app:966] No admin users, admin interface will be unavailable.
[W 2017-11-29 16:40:17.166 JupyterHub app:967] Add any administrative users to c.Authenticator.admin_users in config.
[I 2017-11-29 16:40:17.166 JupyterHub app:994] Not using whitelist. Any authenticated user will be allowed.
[D 2017-11-29 16:40:17.190 JupyterHub user:184] Creating <class 'jupyterhub.spawner.LocalProcessSpawner'> for idap_user:
[D 2017-11-29 16:40:17.193 JupyterHub app:1222] Loading state for idap_user from db
[W 2017-11-29 16:40:17.193 JupyterHub app:1242] idap_user appears to have stopped while the Hub was down
[D 2017-11-29 16:40:17.202 JupyterHub user:184] Creating <class 'jupyterhub.spawner.LocalProcessSpawner'> for satish_agrawal01:
[D 2017-11-29 16:40:17.204 JupyterHub app:1222] Loading state for satish_agrawal01 from db
[W 2017-11-29 16:40:17.204 JupyterHub app:1242] satish_agrawal01 appears to have stopped while the Hub was down
[D 2017-11-29 16:40:17.208 JupyterHub app:1252] Loaded users:
idap_user
satish_agrawal01
[I 2017-11-29 16:40:17.213 JupyterHub app:1539] Hub API listening on http://127.0.0.1:8081/hub/
[W 2017-11-29 16:40:17.213 JupyterHub proxy:415]
Generating CONFIGPROXY_AUTH_TOKEN. Restarting the Hub will require restarting the proxy.
Set CONFIGPROXY_AUTH_TOKEN env or JupyterHub.proxy_auth_token config to avoid this message.

[W 2017-11-29 16:40:17.214 JupyterHub proxy:456] Running JupyterHub without SSL. I hope there is SSL termination happening somewhere else...
[I 2017-11-29 16:40:17.214 JupyterHub proxy:458] Starting proxy @ http://10.0.0.40:8000/
[D 2017-11-29 16:40:17.214 JupyterHub proxy:459] Proxy cmd: ['configurable-http-proxy', '--ip', '10.0.0.40', '--port', '8000', '--api-ip', '127.0.0.1', '--api-port', '8001', '--error-target', 'http://127.0.0.1:8081/hub/error']
16:40:17.331 - info: [ConfigProxy] Proxying http://10.0.0.40:8000 to (no default)
16:40:17.334 - info: [ConfigProxy] Proxy API at http://127.0.0.1:8001/api/routes
[D 2017-11-29 16:40:17.371 JupyterHub proxy:491] Proxy started and appears to be up
[D 2017-11-29 16:40:17.378 JupyterHub proxy:552] Proxy: Fetching GET http://127.0.0.1:8001/api/routes
[W 2017-11-29 16:40:17.386 JupyterHub proxy:304] Adding missing default route
[I 2017-11-29 16:40:17.387 JupyterHub proxy:370] Adding default route for Hub: / => http://127.0.0.1:8081
[D 2017-11-29 16:40:17.387 JupyterHub proxy:552] Proxy: Fetching POST http://127.0.0.1:8001/api/routes/
16:40:17.387 - info: [ConfigProxy] 200 GET /api/routes
16:40:17.392 - info: [ConfigProxy] Adding route / -> http://127.0.0.1:8081
16:40:17.393 - info: [ConfigProxy] 201 POST /api/routes/
[I 2017-11-29 16:40:17.393 JupyterHub app:1592] JupyterHub is now running at http://10.0.0.40:8000/
[I 2017-11-29 16:40:43.489 JupyterHub log:122] 302 GET / → /hub (@10.110.92.177) 0.63ms
[I 2017-11-29 16:40:43.644 JupyterHub log:122] 302 GET /hub → /hub/login (@10.110.92.177) 0.42ms
[I 2017-11-29 16:40:43.839 JupyterHub log:122] 200 GET /hub/login (@10.110.92.177) 39.15ms
[D 2017-11-29 16:40:44.488 JupyterHub log:122] 200 GET /hub/static/css/style.min.css?v=14dc0b5a8b791d573b687aa626aa2600 (@10.110.92.177) 7.93ms
[D 2017-11-29 16:40:44.492 JupyterHub log:122] 200 GET /hub/static/components/requirejs/require.js?v=e7199843dfd445bb66ec816e98a03214 (@10.110.92.177) 0.57ms
[D 2017-11-29 16:40:44.493 JupyterHub log:122] 200 GET /hub/static/components/jquery/jquery.min.js?v=c9f5aeeca3ad37bf2aa006139b935f0a (@10.110.92.177) 0.57ms
[D 2017-11-29 16:41:11.536 JupyterHub log:122] 200 GET /favicon.ico (@10.110.92.177) 3.98ms
[W 2017-11-29 16:42:39.074 JupyterHub ldapauthenticator:154] Invalid password for user CN=satish_agrawal01,OU=GEN,OU=Users,OU=IVL,OU=BHU,OU=IND,DC=ad,DC=company,DC=com
[W 2017-11-29 16:42:39.074 JupyterHub base:350] Failed login for satish_agrawal01

Here is my jupyterhub_config.py:

c.Spawner.cmd = ['/opt/anaconda3/bin/jupyterhub-singleuser']
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = '10.X.Y.1'
c.LDAPAuthenticator.server_port = 389
#c.LDAPAuthenticator.bind_dn_template = ['CN={username},OU=GEN,OU=Users,OU=IVL,OU=BHU,OU=IND,DC=ad,DC=company,DC=com','CN={username},OU=SPL,OU=Users,OU=KRK,OU=BHU,OU=IND,DC=ad,DC=company,DC=com']
c.LDAPAuthenticator.bind_dn_template = '{username}'
c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'CN=admin user,OU=SPL,OU=Users,OU=KRK,OU=BHU,OU=IND,DC=ad,DC=company,DC=com'
c.LDAPAuthenticator.lookup_dn_search_password = 'myPassword'
c.LDAPAuthenticator.user_search_base = 'DC=ad,DC=company,DC=com'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'cn'
c.LDAPAuthenticator.escape_userdn = False

[holms]

I have the same problem, c'mon you have those options in README file why it doesn't work now?

I have openldap running with admin user and ldapsearch works this way:

ldapsearch -x -H ldap://localhost -b "ou=people,dc=mycompany,dc=net" -D "cn=admin,dc=mycompany,dc=net" -w demo

So I critically need those two variables to work:
lookup_dn_search_filter and lookup_dn_search_user

Here's my jupyter config:

$ cat config/jupyterhub_config.py  | grep LDAP
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'openldap'
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.server_port = 389
c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_user = 'cn=admin,dc=mycompany,dc=net'
c.LDAPAuthenticator.lookup_dn_search_password = 'demo'
c.LDAPAuthenticator.bind_dn_template = 'uid={username},ou=people,dc=mycompany,dc=net'
c.LDAPAuthenticator.allowed_groups = ['cn=jupyterhub,ou=groups,dc=mycompany,dc=net']

output of jupyter:

jupyterhub_1    | [W 2017-12-04 16:16:05.624 JupyterHub configurable:168] Config option `lookup_dn_search_user` not recognized by `LDAPAuthenticator`.  Did you mean `lookup_dn`?
jupyterhub_1    | [W 2017-12-04 16:16:05.625 JupyterHub configurable:168] Config option `lookup_dn_search_password` not recognized by `LDAPAuthenticator`.

[holms]

@minrk we need you so much in here :)

[dhirschfeld]

Usually it's helpful to list the versions of all possible modules which could play a part in the problem. at a minimum that would be JupyterHub and LDAPAuthenticator versions. Also the python & platform versions as well.

It works fine for me, but I'm on py36/win64, jupyterhub=0.8.0rc2-2-gf79b717 and ldapauthenticator=1.1-36-g959fa4c

[satishagrawal03]

@dhirschfeld Please find the version details below:

Jupyterhub: 0.8.0
jupyterhub-ldapauthenticator-1.1
OS: Red Hat Enterprise Linux Server release 6.7 (Santiago)

I have 2 different versions of python, default one which is included in PATH is Python 2.7.12 :: Anaconda 4.2.0 (64-bit) and another one (in /opt/anaconda3/bin/python3 --version) is Python 3.6.3 :: Anaconda, Inc.

I am using below command to start JupyterHub:
/opt/anaconda3/bin/python3 /opt/anaconda3/bin/jupyterhub --ip=10.X.Y.0 --port=8000 -f /home/idap_user/.jupyter/jupyterhub_config.py --debug &

Kindly guide to resolve the issue. Thanks !

[dhirschfeld]

1.1 was released a long time ago. I'f you look at the diff: 1.1...master

...the functionality you're wanting was added after 1.1. There hasn't been a release since so if you want that functionality it looks like you'll need to run off master.

[satishagrawal03]

@dhirschfeld
I have installed ldapauthenticator using the command : 'pip install jupyterhub-ldapauthenticator' last
month only.
Could you please let me know how to check the exact version?

[holms]

I think you can close this. I've had other issues in there, so I've just simplified my life. For example if you'll use bind like this uid={username},ou=people,dc=mycompany,dc=net won't work, although if you put that username to cn field instead of name/surname which stored in there, with this bidn cn={username},ou=people,dc=mycompany,dc=net it works. I don't know why this happens, I'm abandoning this, as this works for me and it's fine as is.

[dhirschfeld]

@satishagrawal03 - pip install will install the last released version which as I mentioned is too old.

IIUC you can use pip to install the GitHub master branch like so:

pip install git+https://github.com/jupyterhub/ldapauthenticator.git

Obviously requires that you have git installed.

[satishagrawal03]

@dhirschfeld Thanks for your inputs, I was able to resolve the issue after upgrading and am able to login now. But only with those users who are available in UNIX system also. As highlighted earlier, all the LDAP users are not present in the local system nor I wish to create them. Could you please confirm if it is possible to authenticate users against LDAP without user availability/creation in local system.

Currently, I am getting below error for users not available in local system. Kindly guide.

 2017-12-11 17:02:25.193 JupyterHub web:1590] Uncaught exception GET /hub/user/idap_admin/ (10.110.85.173)
    HTTPServerRequest(protocol='http', host='10.118.214.142:8000', method='GET', uri='/hub/user/idap_admin/', version='HTTP/1.1', remote_ip='10.110.85.173', headers={'X-Forwarded-Host': '10.118.214.142:8000', 'X-Forwarded-Proto': 'http', 'X-Forwarded-Port': '8000', 'X-Forwarded-For': '10.110.85.173', 'Cookie': 'jupyter-hub-token="2|1:0|10:1512991790|17:jupyter-hub-token|44:MWUyMTcxMzAwNWI3NGQ2ZjhkODFkNThjNGU3ZjMwMzY=|33fece8d8be6e97f31d4f556810f5465a863ea83a7080d71d85ac6c449acaa08"; WDISessionId=1p1n91nnuezk418hnamtful0ot; x-csrf-token=AUG9iqYR-CKX85eZhFwYpZjDxwcrY8wPh8z4; _xsrf=2|f9bc3a3c|5a05c9bc5ec590a57180a129513b6091|1512991745', 'Accept-Language': 'en-US,en;q=0.9', 'Accept-Encoding': 'gzip, deflate', 'Referer': 'http://10.118.214.142:8000/hub/home', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36', 'Upgrade-Insecure-Requests': '1', 'Connection': 'close', 'Host': '10.118.214.142:8000'})
    Traceback (most recent call last):
      File "/opt/anaconda3/lib/python3.6/site-packages/tornado/web.py", line 1511, in _execute
        result = yield result
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/handlers/base.py", line 744, in get
        yield self.spawn_single_user(current_user)
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/handlers/base.py", line 474, in spawn_single_user
        yield gen.with_timeout(timedelta(seconds=self.slow_spawn_timeout), finish_spawn_future)
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/handlers/base.py", line 444, in finish_user_spawn
        yield spawn_future
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/user.py", line 439, in spawn
        raise e
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/user.py", line 378, in spawn
        ip_port = yield gen.with_timeout(timedelta(seconds=spawner.start_timeout), f)
      File "/opt/anaconda3/lib/python3.6/types.py", line 248, in wrapped
        coro = func(*args, **kwargs)
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/spawner.py", line 968, in start
        env = self.get_env()
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/spawner.py", line 960, in get_env
        env = self.user_env(env)
      File "/opt/anaconda3/lib/python3.6/site-packages/jupyterhub/spawner.py", line 947, in user_env
        home = pwd.getpwnam(self.user.name).pw_dir
    KeyError: 'getpwnam(): name not found: idap_admin'

[metal3d]

Same for me, I opened #67 issue that is the same result on my local machine

[ted-strauss-K1]

I have the same bug.

[W 2018-04-20 15:16:34.055 JupyterHub configurable:168] Config option `lookup_dn_search_user` not recognized by `LDAPAuthenticator`.  Did you mean `lookup_dn`?
[W 2018-04-20 15:16:34.056 JupyterHub configurable:168] Config option `lookup_dn_search_password` not recognized by `LDAPAuthenticator`.
[W 2018-04-20 15:16:34.057 JupyterHub configurable:168] Config option `lookup_dn_search_filter` not recognized by `LDAPAuthenticator`

[dhirschfeld]

@tedstrauss - please install from GitHub:

pip install git+https://github.com/jupyterhub/ldapauthenticator.git

[ted-strauss-K1]

I tried this. And upgraded to PIP 3.x and tried again.
There was no effect on the bug.
Maybe I need to uninstall more thoroughly first?

[dhirschfeld]

Closing as this will be "fixed" by #70 and there is a workaround (install from master) in the meantime