question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ldap3.core.exceptions.LDAPStartTLSError

See original GitHub issue

Bug description

LDAP authentication works just fine with JupyterHub version 0.9.x and this configuration:

auth:
  type: ldap
  ldap:
    server:
      address: ldap.example.org
    dn:
      templates:
        - 'uid={username},ou=People,dc=example,dc=org'

However, I found that versions 0.10+ of JupyterHub produce the following error in the hub’s pod:

ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)',)

with the equivalent LDAP configuration

hub:
  config:
    JupyterHub:
      authenticator_class: ldapauthenticator.LDAPAuthenticator
    LDAPAuthenticator:
      bind_dn_template:
        - uid={username},ou=People,dc=example,dc=org
      server_address: ldap.example.org

Expected behaviour

Our LDAP server hasn’t changed so we would expect ldapauthenticator version 1.3.2 to work like version 1.3.0.

Actual behaviour

LDAP authentication with ldapauthenticator version 1.3.2 shouldn’t produce the exception above.

How to reproduce

  1. Configure values.yaml with LDAP authentication
  2. Deploy JupyterHub version 0.10 or above
  3. Try to login to JupyterHub after deployment
  4. See error with kubectl logs pod/hub-69fdcf79b7-xr946 | grep -i ldap

Your personal set up

  • OS: Kubernetes cluster deployed with Magnum on OpenStack Train OS: fedora-coreos-32.20200629.3.0

  • Version(s): JupyterHub 0.9 installs ldapauthenticator version 1.3.0 JupyterHub 0.10 installs ldapauthenticator version 1.3.2 JupyterHub 0.11 installs ldapauthenticator version 1.3.2

I am always using zero-to-jupyterhub deployment.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:17 (7 by maintainers)

github_iconTop GitHub Comments

3reactions
M0025commented, Jul 30, 2021

I got the same issue solved by this https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available

yaml file like this:

hub:
  extraEnv:
    OPENSSL_CONF: '/data/tls1.cnf'
  
  extraVolumes:
    - name: openssl-1
      hostPath:
        path: /data/tls1.cnf

  extraVolumeMounts:
    - name: openssl-1
      mountPath: /data/tls1.cnf

put the “tls1.cnf” into k8s node

in my case sloved, hope helpful.

2reactions
1kastnercommented, Mar 28, 2021

I am not sure who to include into this discussion who has deeper insights into the specifica of ldap3 and their underlying libraries. This ldapauthenticator library is only scratching at the surface. Only little configuration is offered to the users.

I have heard of people who took another path: They used the default authenticator of JupyterHub and they configured the Linux login procedure in a way that it used LDAP for authentication. You could google ldap pam authentication linux and then check which of the solutions might be applicable in your case. That would be an option of how to bypass this problem.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Python ldap3 - LDAPStartTLSError: startTLS failed - unavailable
I want to use ldap3 with python 3.9 to connect and update my password from MS AD. server = Server('my_server') conn = Connection(server, ......
Read more >
Exceptions — ldap3 2.9.1 documentation - Read the Docs
The ldap3 exceptions hierarchy includes a LDAPException root class with two main branches: LDAPExceptionError and LDAPExceptionResult. The LDAPExceptionError ...
Read more >
ldap3.core.exceptions.LDAPStartTLSError
Hi, JupyterHub version 0.9.x works just fine with this LDAP authentication configuration auth: type: ldap ldap: server: address: ...
Read more >
ldap3.core.exceptions.LDAPStartTLSError: wrap socket error ...
ldap3.core.exceptions.LDAPStartTLSError: wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)
Read more >
ldapsearch Fails to Connect With LDAP Server With "TLS ...
Red Hat Enterprise Linux (All Versions) · Lightweight Directory Access Protocol (LDAP) · ldapsearch command · Transport Layer Security (TLS) ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found