Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Config options allowed_groups and search_filter are mutually exclusive #93

Closed
mfriedemann opened this issue Jul 5, 2018 · 1 comment · Fixed by #95
Closed

Config options allowed_groups and search_filter are mutually exclusive #93

mfriedemann opened this issue Jul 5, 2018 · 1 comment · Fixed by #95
Labels
¡bug!

Comments

@mfriedemann
Copy link

As per the title, these two options cannot be used together.

If the bind operation was successful, there is an if (groups) else if (filter):

ldapauthenticator/ldapauthenticator/ldapauthenticator.py

Line 338 in 630c512

if self.allowed_groups:

ldapauthenticator/ldapauthenticator/ldapauthenticator.py

Line 359 in 630c512

elif self.search_filter:

In particular, this means that for our case, where we don't actually bind with a DN, but with user@domain (this works with AD and we use it to avoid the first bind with the "technical account"), we can't restrict for group membership, because we need to FIRST do the search for the actual DN, using the filter.

You could argue that we should use the DN lookup feature, but that requires some static account (you call it the "technical account" but we neither have, nor want this), as it is not possible to use the given username/password for the first bind operation in resolve_username. (This could be opened as a different issue or feature request).

ldapauthenticator/ldapauthenticator/ldapauthenticator.py

Line 227 in 630c512

conn = ldap3.Connection(server, user=self.escape_userdn_if_needed(self.lookup_dn_search_user), password=self.lookup_dn_search_password)

As a side note not aimed specifically at you guys, I think it is generally unfortunate that every project reinvents the wheel wrt. the configuration of LDAP-based authentication modules. Even if you happen to know how you can bind and what you need to search for (and that might be a capital if), you end up fiddling with options and reading docs / source code until you figure out a config that works with project X.

Regards,
M.
@dhirschfeld
Copy link
Collaborator

dhirschfeld commented Jul 19, 2018
edited
Loading

I think this is a valid bug in the logic - I can't see offhand why they should be mutually exclusive.

dhirschfeld pushed a commit to dhirschfeld/ldapauthenticator that referenced this issue Jul 19, 2018
Misc cleanup + fixes
0d5d903 
- Fixes jupyterhub#44
  Empty DN templates are now ignored
- Fixes jupyterhub#93
  search_filter and allowed_groups are no longer mutually exclusive
@dhirschfeld dhirschfeld mentioned this issue Jul 19, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
¡bug!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Misc cleanup + fixes dhirschfeld/ldapauthenticator
2 participants
@dhirschfeld @mfriedemann