Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

As an administrator, I would like LDAP authenticated users to automatically have accounts created on my system so that I can automate this process.

See original GitHub issue

Using the LDAP authenticator, I’m able to authenticate users.

For example, the user exists in the LDAP server and also has a linux user account on the hub server. Login and authentication works fine.

If a user exists in the LDAP server though but does not have a corresponding linux system account on the hub, I get the following error:

     File "/usr/lib/python3.4/site-packages/jupyterhub/spawner.py", line 439, in user_env
        home = pwd.getpwnam(self.user.name).pw_dir
    KeyError: 'getpwnam(): name not found: angie'

Can the LDAP authenticator be used with the PAM/LocalAuthenticator capabalities and create this user if they don’t exist?

Issue Analytics

State:
Created 7 years ago
Comments:17 (1 by maintainers)

Top GitHub Comments

4reactions

benhosmercommented, Sep 19, 2016

I never got it to work in the config file. I imagine you could just do something similar to this:

from jupyterhub.auth import Authenticator, LocalAuthenticator
from ldapauthenticator import LDAPAuthenticator

class LocalLDAPCreateUsers(LocalAuthenticator, LDAPAuthenticator):

    """Create local user accounts based on LDAP authentication"""
    pass

c.JupyterHub.authenticator_class = 'ldapcreateusers.LocalLDAPCreateUsers'
c.LocalLDAPCreateUsers.server_address = 'some.ldap.server'
c.LocalLDAPCreateUsers.server_port = 389
c.LocalLDAPCreateUsers.use_ssl = False
c.LocalLDAPCreateUsers.bind_dn_template = 'uid={username},dc=yourdomain,dc=com'
c.LocalLDAPCreateUsers.create_system_users = True

Or just $ pip install jupyterhub-ldapcreateusers: https://github.com/benhosmer/jupyterhub-ldapcreateusers

0reactions

epignatellicommented, Jun 4, 2019

Can you explain what you mean by possibility of conflict with sudospawner?

Securitywise, I’d be very tempted to just say ‘no’ in this context - nss_ldap and pam_ldap have seen far more audits and deployment scenarios than ldapauthenticator+jupyterhub ever will, so any security consciousness install should be using that setup. This is doubly important for things like user account removals, etc. I understand the desire to not add extra setup and fold it into this, but I think it’ll be a bad addition for the default ldapauthenticator. It’ll also require that the whole jupyterhub server run as root, which is a pretty big attack vector.

If you really want to not use pam_ldap + nss_ldap, I’d recommend creating a subclass of ldapauthenticator that does that as a separate project, but not as part of ldapauthenticator itself.

On Thu, Sep 1, 2016 at 11:23 AM, Ben Hosmer notifications@github.com wrote:

@yuvipanda https://github.com/yuvipanda You definitely bring up some good points, however I see a few disadvantages as well:

The system that Jupyterhub is running on now needs additional packages and configuration this opens up another attack vector and adds complexity. For some enterprise environments, it isn’t very simple to add additional packages.

The possibility of conflicts with sudospawner

I modeled this implementation for ldapauthenticator after the oauthenticator https://github.com/jupyterhub/oauthenticator/tree/master/oauthenticator. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub #19 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AAB23sautOvBBlnLzT9iaSI2_G6fWUmdks5qlxgegaJpZM4Jx4M_ .

Yuvi Panda T http://yuvi.in/blog