ldap3.core.exceptions.LDAPStartTLSError
See original GitHub issueBug description
LDAP authentication works just fine with JupyterHub version 0.9.x and this configuration:
auth:
type: ldap
ldap:
server:
address: ldap.example.org
dn:
templates:
- 'uid={username},ou=People,dc=example,dc=org'
However, I found that versions 0.10+ of JupyterHub produce the following error in the hub’s pod:
ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)',)
with the equivalent LDAP configuration
hub:
config:
JupyterHub:
authenticator_class: ldapauthenticator.LDAPAuthenticator
LDAPAuthenticator:
bind_dn_template:
- uid={username},ou=People,dc=example,dc=org
server_address: ldap.example.org
Expected behaviour
Our LDAP server hasn’t changed so we would expect ldapauthenticator
version 1.3.2 to work like version 1.3.0.
Actual behaviour
LDAP authentication with ldapauthenticator
version 1.3.2 shouldn’t produce the exception above.
How to reproduce
- Configure
values.yaml
with LDAP authentication - Deploy JupyterHub version 0.10 or above
- Try to login to JupyterHub after deployment
- See error with
kubectl logs pod/hub-69fdcf79b7-xr946 | grep -i ldap
Your personal set up
-
OS: Kubernetes cluster deployed with Magnum on OpenStack Train OS: fedora-coreos-32.20200629.3.0
-
Version(s): JupyterHub 0.9 installs
ldapauthenticator
version 1.3.0 JupyterHub 0.10 installsldapauthenticator
version 1.3.2 JupyterHub 0.11 installsldapauthenticator
version 1.3.2
I am always using zero-to-jupyterhub
deployment.
Issue Analytics
- State:
- Created 3 years ago
- Comments:17 (7 by maintainers)
Top GitHub Comments
I got the same issue solved by this https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available
yaml file like this:
put the “tls1.cnf” into k8s node
in my case sloved, hope helpful.
I am not sure who to include into this discussion who has deeper insights into the specifica of ldap3 and their underlying libraries. This ldapauthenticator library is only scratching at the surface. Only little configuration is offered to the users.
I have heard of people who took another path: They used the default authenticator of JupyterHub and they configured the Linux login procedure in a way that it used LDAP for authentication. You could google
ldap pam authentication linux
and then check which of the solutions might be applicable in your case. That would be an option of how to bypass this problem.