Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Authentication against Active directory stopped working
See original GitHub issueSince commit c881a9fba7e73ba938adc744e7e0deed8a262b15 the working authentication against Active directory does not work anymore.
from the logs:
after c881a9fba7e73ba938adc744e7e0deed8a262b15
[D 2018-06-12 14:01:04.368 JupyterHub ldapauthenticator:299] TYPE= 'True'
[D 2018-06-12 14:01:04.369 JupyterHub ldapauthenticator:223] Looking up user with search_base=DC=example,dc=com, search_filter='(sAMAccountName=x.matthias)', attributes=sAMAccountName
[D 2018-06-12 14:01:04.587 JupyterHub ldapauthenticator:278] Attempting to bind x.matthias with CN=X Matthias\,OU=Users\,DC=example\,DC=com
[D 2018-06-12 14:01:04.589 JupyterHub ldapauthenticator:330] Status of user bind x.matthias with CN=X Matthias\,OU=Users\,DC=example\,DC=com : False
LDAPBindError: automatic bind not successful - invalidCredentials
before
[D 2018-06-12 14:09:53.714 JupyterHub ldapauthenticator:299] TYPE= 'True'
[D 2018-06-12 14:09:53.715 JupyterHub ldapauthenticator:223] Looking up user with search_base=DC=example,dc=com, search_filter='(sAMAccountName=x.matthias)', attributes=sAMAccountName
[D 2018-06-12 14:09:53.943 JupyterHub ldapauthenticator:278] Attempting to bind x.matthias with CN=X Matthias,OU=Users,DC=example,DC=com
[D 2018-06-12 14:09:54.709 JupyterHub ldapauthenticator:328] Status of user bind x.matthias with CN=X Matthias,OU=Users,DC=example,DC=com : True
[D 2018-06-12 14:09:54.709 JupyterHub ldapauthenticator:334] username:x.matthias Using dn CN=X Matthias,OU=Users,DC=example,DC=com
[D 2018-06-12 14:09:54.716 JupyterHub base:268] Setting cookie for x.matthias: jupyter-hub-token, {'httponly': True}
The problem seems to be the escaped , - which does not work against Windows AD controllers, and currently cannot be disabled (at least not that i’d have found it).
related config:
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.server_address = 'ldap://domaincontroller.example.com'
c.LDAPAuthenticator.server_port = 3268
c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.LDAPAuthenticator.lookup_dn_search_user = 'CN=HelperUser,OU=Service Accounts,OU=Rights and Policies,OU=GA,DC=example,DC=com'
c.LDAPAuthenticator.lookup_dn_search_password = '<password>'
c.LDAPAuthenticator.base_dn = 'dc=example,dc=com'
c.LDAPAuthenticator.bind_dn_template = [
'{username}',
]
c.LDAPAuthenticator.user_search_base = 'dc=example,dc=com'
c.LDAPAuthenticator.user_attribute = 'sAMAccountName'
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'DistinguishedName'
c.LDAPAuthenticator.escape_userdn = False
c.LDAPAuthenticator.allowed_groups = [
'CN=JHub-Admin,OU=Groups,OU=Rights and Policies,OU=GA,DC=example,DC=com'
]
unfortunately, changing escape_userdn did not have any effect, as it’s in an area where this is not checked.
https://github.com/jupyterhub/ldapauthenticator/blob/45ee38febb908168059142f799ace4357b33d34a/ldapauthenticator/ldapauthenticator.py#L305
All attributes have been changed to “example.com” …
Issue Analytics
- State:
- Created 5 years ago
- Comments:8
Top Results From Across the Web
Troubleshooting Active Directory Authentication / AD login ...
Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. In the right-hand ......
Read more >Troubleshooting Authentication Issues - Microsoft Learn
Learn how to troubleshoot issues related to problems users may have when attempting to connect to DirectAccess using OTP authentication.
Read more >Techniques to troubleshoot Active Directory issues - TechTarget
Active Directory uses Kerberos to authenticate communication on the domain. If Kerberos stops working, then the authentication process ...
Read more >Troubleshooting Active Directory Authentication issues with ...
Examining LDAP interface events in the Windows Directory Service Event log can help determine if a bad password or bad username is the...
Read more >Troubleshoot Active Directory authentication issues?
Connectivity checks · Connect to the Appliance using the Command Line Interface (CLI) or SSH. · Check the /etc/resolv. · Test the connectivity...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks for the report @xmatthias. The problem isn’t to do with Windows AD controllers (I’m running on Windows) but instead is the use of
DNfor thelookup_dn_user_dn_attribute.The code as is assumes
c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'CN'so that’s definitely something to fix.In the interim, can you confirm if using the below config fixes the problem?
can some one please help with the same kind of issue #115