Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use_ssl set to False, cannot connect to ldap server with plaintext #231

Open
fansongfs opened this issue Feb 21, 2024 · 4 comments
Open

use_ssl set to False, cannot connect to ldap server with plaintext #231

fansongfs opened this issue Feb 21, 2024 · 4 comments
Labels
bug

Comments

@fansongfs
Copy link

Bug description

with configuration of :

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.lookup_dn = False
c.LDAPAuthenticator.use_ssl = False
c.LDAPAuthenticator.server_address = 'localhost'

I expect jupyterhub will authenticate user with ldap server through plaintext communication. but it will get
ldap3.core.exceptions.LDAPStartTLSError: startTLS failed - protocolError.

How to reproduce

  1. set up sldap and jupyterhub in the same server
  2. configure jupyterhub use LDAPAuthenticator with use_ssl = False

Expected behaviour

Authentication works

Actual behaviour

get exception ldap3.core.exceptions.LDAPStartTLSError: startTLS failed - protocolError.

Your personal set up

I check source code, it seems following line of code(line 307~309) causing issue:
auto_bind = (
ldap3.AUTO_BIND_NO_TLS if self.use_ssl else ldap3.AUTO_BIND_TLS_BEFORE_BIND
)
when I use ldap3.AUTO_BIND_NO_TLS if use_ssl is false, the binding works.

Does LDAPAuthenticator support plaintext communication?

  • OS:
  • Ubuntu 22.04
  • Version(s):
    jupyterhub 4.0.2
@fansongfs fansongfs added the bug label Feb 21, 2024
@welcome Welcome
Copy link

welcome bot commented Feb 21, 2024

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@wsuzume
Copy link

wsuzume commented Jun 3, 2024

I encountered the same problem and was able to resolve it using the same method.
Thank you very much @fansongfs !

I'm using docker and the details are as follows.

Host: RHEL8
Docker: 26.1.3
Image: jupyterhub/jupyterhub:4.1.5
Python: 3.10.12

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'our-ldap-server.com'
c.LDAPAuthenticator.server_port = 389
c.LDAPAuthenticator.bind_dn_template = ['uid={username},ou=people,o=our-company,c=jp']
c.LDAPAuthenticator.lookup_dn = False
c.LDAPAuthenticator.use_ssl = False

The patch I applied is as follows.

307         auto_bind = (
308             ldap3.AUTO_BIND_NO_TLS if self.use_ssl is False else ldap3.AUTO_BIND_TLS_BEFORE_BIND
309         )

@wsuzume
Copy link

wsuzume commented Jun 3, 2024

When I tried to create a pull request with this patch, it resulted in errors during tests from Python 3.7 to 3.11.

Applying the changes proposed in pull request #216 and specifying use_tls=False might be a more fundamental solution.

@wsuzume
Copy link

wsuzume commented Jun 3, 2024

Applying #216, that is, cloning and installing from https://github.com/loic-vial/ldapauthenticator and specifying use_tls=False instead of use_ssl=False resolved this issue.

Therefore, I believe this issue will be resolved in the next scheduled release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wsuzume @fansongfs