Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allowed groups doesn't work because user cn and memberuid are not same

See original GitHub issue

JupyterHub configuration:

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'xxx'
c.LDAPAuthenticator.allowed_groups = [
    "CN=xxx,OU=Groups,DC=xyz,DC=com",
]
c.LDAPAuthenticator.use_ssl = True
c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.user_search_base = 'DC=xyz,DC=com'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.bind_dn_template = ['CN={username},OU=People,DC=xyz,DC=com']
c.LDAPAuthenticator.lookup_dn_search_filter = '(&(objectCategory=Person)({login_attr}={login}))'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'CN'

ldapsearch result:

# extended LDIF
#
# LDAPv3
# base <DC=xyz,DC=com> with scope subtree
# filter: (&(objectCategory=Person)(CN=Tanmay Mathur))
# requesting: ALL
#

# Tanmay Mathur, People, xyz.com
dn: CN=Tanmay Mathur, OU=People,DC=xyz,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: userProxyFull
cn: Tanmay Mathur
distinguishedName: CN=Tanmay Mathur,OU=People,DC=xyz,DC=com
instanceType: 4
whenCreated: xxx
whenChanged: xxx
displayName: Tanmay Mathur
uSNCreated: xxx
uSNChanged: xxx
name: Tanmay Mathur
objectGUID:: xxx
objectSid:: xxx
userPrincipalName: tmathur@xyz.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,CN=xxx
dSCorePropagationData: xxx
gidNumber: xxx
sAMAccountName: tmathur
uid: tmathur
homeDirectory: xxx
unixHomeDirectory: xxx
mail: tmathur@xyz.com
uidNumber: xxx
givenName: Tanmay
gecos: tmathur
sn: Mathur

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Since username gets overwritten with the CN name in the code, allowed groups filtering fails for me. I have changed my local code so the username doesn’t get overwritten and it runs successfully.

Issue Analytics

State:
Created 4 years ago
Comments:9

Top GitHub Comments

1reaction

wiltonsrcommented, Aug 20, 2021

Just define

c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'distinguishedName'

I use ldapauthenticator v1.3.2 and Jupyter together with Active Directory and allowed_groups works fine.

This is my complete config, obtained from here:

c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'USE_YOUR_SERVICE_ACCOUNT_HERE'
c.LDAPAuthenticator.lookup_dn_search_password = 'USE_YOUR_SERVICE_PASS_HERE'
c.LDAPAuthenticator.user_search_base = 'ou=example,dc=com'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'distinguishedName'
c.LDAPAuthenticator.escape_userdn = False
c.LDAPAuthenticator.bind_dn_template = '{username}'
c.LDAPAuthenticator.use_lookup_dn_username = False
# When authenticating on a Linux machine against an AD server 
# This might return something different from the supplied UNIX username. 
# In this case setting use_lookup_dn_username to False might be a solution.

Just check if you AD server hash attribute distinguishedName, but based on this I believe it has.

0reactions

wiltonsrcommented, Aug 20, 2021

I read #199 and just remove

c.LDAPAuthenticator.bind_dn_template = '{username}'

and setting

c.LDAPAuthenticator.lookup_dn_user_dn_attribute = ‘cn’

has the same result.

Top Results From Across the Web

Allowed groups doesn't work because user cn and memberuid are ...

Allowed groups doesn't work because user cn and memberuid are not same.

Topic on Extension talk:LDAPProvider - MediaWiki

cn : admins. memberUid: user1. memberUid: user2. So to match my group membership, I would run the below. ldapsearch -x "(&(objectClass=*)(memberUid=users))" ...

Issue #4010: group membership not updating - sssd - Pagure.io

Hi,. the missing memberOf is kind of expected because memberOf and memberuid should be set in the same run for the two objects....

LDAP users and groups, and local groups - Oracle Communities

It would appear to work for querying, but in practice it doesn't seem to work... my dmacpherson is not allowed to write files...

Active directory SSSD/Kerberos/LDAP configuration get uid ...

Example: an user who has a uid as JonZ on Active Directory. ... commented out otherwise it can explain why "id jonz" did...