attempting AD auth for Airflow

[David Palomino]

Hello, 

I am having trouble implementing AD auth for Airflow, following the directions at https://pythonhosted.org/airflow/security.html#web-authentication.  

My sanitized config looks like this:

[webserver]

authenticate = True

auth_backend = airflow.contrib.auth.backends.ldap_auth

[ldap]

uri = ldaps://ldap.example.com:636

user_filter = objectClass=*

user_name_attr = sAMAccountName

bind_user = MYDOMAIN\binduser

bind_password = XXXXXXX

basedn = "OU=All Users,DC=ad,DC=example,DC=com"

cacert = /etc/ca/ldap_ca.crt

search_scope = SUBTREE

I have also tried "LEVEL" as the search_scope.  In both cases I pass my credentials into the Airflow Auth screen and just get the following back in the airflow webserver log:

[2016-04-25 17:06:07,284] {ldap_auth.py:119} INFO - Cannot find user myuser

I know that I am binding successfully to AD, as if I put a bad user/password in the bind info, it gives me a failed to bind message.  Is there a way to force any more detailed logging?  

In the past when configuring auth for Apache web servers using the same AD infrastructure I have successfully used this dn:

OU=All Users,DC=ad,DC=example,DC=com?sAMAccountName?sub?(objectclass=*)

Any pointers?  

Thank you!

[Chris Riccomini]

Hey David,

Unfortunately, I think you're going to have to get your hands dirty with some code to figure this out. We are currently running Airflow with AD enabled, but it took some effort. The debugging messages for the code are insufficient, so we did two things to figure out how to get it to work:

1. Add more debugging locally to dump various structures returned from AD.

2. Experiment via the REPL (Python CLI) by importing the Airflow AD package, manually connecting, and executing various params until we found the one that worked.

I'd also recommend looking at the LDAP code in Airflow. It's not very complicated, and may help shed some light. Sorry I can't be more helpful.

Cheers,

Chris

[David Palomino]

Thanks Chris!  We dug into it a bit and found the problem was the quotes around the basedn value.  I assumed they would be needed since there is a space in there, but apparently not.