ldap3.core.exceptions.LDAPStartTLSError

[sebastian-luna-valero]

Bug description

LDAP authentication works just fine with JupyterHub version 0.9.x and this configuration:

auth:
  type: ldap
  ldap:
    server:
      address: ldap.example.org
    dn:
      templates:
        - 'uid={username},ou=People,dc=example,dc=org'

However, I found that versions 0.10+ of JupyterHub produce the following error in the hub’s pod:

ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)',)

with the equivalent LDAP configuration

hub:
  config:
    JupyterHub:
      authenticator_class: ldapauthenticator.LDAPAuthenticator
    LDAPAuthenticator:
      bind_dn_template:
        - uid={username},ou=People,dc=example,dc=org
      server_address: ldap.example.org

Expected behaviour

Our LDAP server hasn't changed so we would expect ldapauthenticator version 1.3.2 to work like version 1.3.0.

Actual behaviour

LDAP authentication with ldapauthenticator version 1.3.2 shouldn't produce the exception above.

How to reproduce

1. Configure values.yaml with LDAP authentication
2. Deploy JupyterHub version 0.10 or above
3. Try to login to JupyterHub after deployment
4. See error with kubectl logs pod/hub-69fdcf79b7-xr946 | grep -i ldap

Your personal set up

• OS:
  Kubernetes cluster deployed with Magnum on OpenStack Train
  OS: fedora-coreos-32.20200629.3.0

• Version(s):
  JupyterHub 0.9 installs ldapauthenticator version 1.3.0
  JupyterHub 0.10 installs ldapauthenticator version 1.3.2
  JupyterHub 0.11 installs ldapauthenticator version 1.3.2

I am always using zero-to-jupyterhub deployment.

[meeseeksmachine]

This issue has been mentioned on Jupyter Community Forum. There might be relevant details there:

https://discourse.jupyter.org/t/ldap3-core-exceptions-ldapstarttlserror/7935/3

[1kastner]

@sebastian-luna-valero could you also report the installed versions of the ldap3 module for each JupyterHub version?

[sebastian-luna-valero]

@1kastner sorry, could you please provide steps to get that info?

[1kastner]

@sebastian-luna-valero You need to launch the very same Python the JupyterHub is running with. Then you can simply import the library and check its version number. Just the first google hit: https://stackoverflow.com/questions/20180543/how-to-check-version-of-python-modules

[sebastian-luna-valero]

Thanks. I am deploying JupyterHub on kubernetes, how can I check it in that case?

[1kastner]

Please check that yourself, I have no access to a kubernetes setup.

[sebastian-luna-valero]

Hi,

I think these are the answers:

• JupyterHub 0.9.1 ships ldap3 version 2.7
• JupyterHub 0.10.6 ships ldap3 version 2.8.1
• JupyterHub 0.11.1 ships ldap3 version 2.8.1

For future reference, here are the commands to check:

# log into the hub pod
kubectl exec -it pod/hub-69fdcf79b7-xr946 /bin/bash

# check ldap3 version
cat /usr/local/lib/python3.8/dist-packages/ldap3/version.py

I hope that helps.

Best regards,
Sebastian

[1kastner]

Maybe you can have a look at #186 which looks very similar. Check whether your ldap server uses SSL or START_TLS. Maybe you can just play with use_ssl: true?

[sebastian-luna-valero]

Hi,

Our LDAP server uses START_TLS and when I add use_ssl:true with JupyterHub-0.11.1, ldapauthenticator-1.3.2, ldap3-2.8.1:

hub:
  config:
    JupyterHub:
      authenticator_class: ldapauthenticator.LDAPAuthenticator
    LDAPAuthenticator:
      bind_dn_template:
        - uid={username},ou=People,dc=example,dc=org
      server_address: ldap.example.org #or ldaps://ldap.example.org
      use_ssl: true

I get:

ldap3.core.exceptions.LDAPSocketOpenError: socket connection error while opening: [Errno 111] Connection refused

On the other hand, adding use_ssl: true to the JupyterHub 0.10.6 configuration seems to have no effect so it returns:

ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)',)

Best regards,
Sebastian

[1kastner]

Sorry then I can't help you. Maybe you can have a look at cannatag/ldap3#855 and the applied changes as described in #186 (comment). It seems like the ldapauthanticator library needs some changes so that it uses the ldap3 library correctly.

[sebastian-luna-valero]

Hi,

I tried applying the patch and I got the same exception.

Best regards,
Sebastian

[sebastian-luna-valero]

Hi,

I have reported this issue and got feedback here cannatag/ldap3#925 (comment)

Could I ask where is the relevant JupyterHub config to negotiate secure connection with the LDAP server?

I couldn't find an answer in https://zero-to-jupyterhub.readthedocs.io or https://github.com/jupyterhub/ldapauthenticator/blob/master/README.md

Best regards,
Sebastian

[1kastner]

Check

ldapauthenticator/ldapauthenticator/ldapauthenticator.py

Lines 307 to 317 in 31d70f8

	def get_connection(self, userdn, password):
	server = ldap3.Server(
	self.server_address, port=self.server_port, use_ssl=self.use_ssl
	)
	auto_bind = (
	ldap3.AUTO_BIND_NO_TLS if self.use_ssl else ldap3.AUTO_BIND_TLS_BEFORE_BIND
	)
	conn = ldap3.Connection(
	server, user=userdn, password=password, auto_bind=auto_bind
	)
	return conn

and in case also the remaining file. The code is not that complex.

[sebastian-luna-valero]

Hi,

Following steps here:

https://ldap3.readthedocs.io/en/latest/tutorial_intro.html#establishing-a-secure-connection

The following commands work on both:

• JupyterHub-0.9.1, ldap3-2.7, ldapauthenticator-1.3.0, Python-3.6.9, PyOpenSSL-19.1.0, OpenSSL 1.1.1 11 Sep 2018
• JupyterHub-0.11.1, ldap3-2.8.1, dapauthenticator-1.3.2, Python-3.8.5, PyOpenSSL-20.0.0, OpenSSL 1.1.1f 31 Mar 2020

import ldap3
server = ldap3.Server('<server>', port=389, use_ssl=True) 
conn = ldap3.Connection(server, user='<user>', password='<password>') 

print(conn) command returns:

ldaps://<server>389 - ssl - user: <user> - not lazy - unbound - closed - <no socket> - tls not started - not listening - SyncStrategy - internal decoder

Does this help troubleshoot our issue?

Best regards,
Sebastian

[1kastner]

I am not sure who to include into this discussion who has deeper insights into the specifica of ldap3 and their underlying libraries. This ldapauthenticator library is only scratching at the surface. Only little configuration is offered to the users.

I have heard of people who took another path: They used the default authenticator of JupyterHub and they configured the Linux login procedure in a way that it used LDAP for authentication. You could google ldap pam authentication linux and then check which of the solutions might be applicable in your case. That would be an option of how to bypass this problem.

[meeseeksmachine]

This issue has been mentioned on Jupyter Community Forum. There might be relevant details there:

https://discourse.jupyter.org/t/ldap3-core-exceptions-ldapstarttlserror/7935/5

[M0025]

I got the same issue
solved by this https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available

yaml file like this:

hub:
  extraEnv:
    OPENSSL_CONF: '/data/tls1.cnf'
  
  extraVolumes:
    - name: openssl-1
      hostPath:
        path: /data/tls1.cnf

  extraVolumeMounts:
    - name: openssl-1
      mountPath: /data/tls1.cnf

put the "tls1.cnf" into k8s node

in my case sloved, hope helpful.