JupyterHub cannot talk to LDAP server

Raymond Xie

unread,

Sep 17, 2018, 3:45:08 PM9/17/18

to jup...@googlegroups.com

Hello all,

JupyterHub does not trust my LDAP certificate, I have a LDAP cert file from system admin and was advised to use it to communicate to LDAP server, the cert is not trusted and JupyterHub throws out error:

Can't contact LDAP server

Similar error is also reported in https://bneijt.nl/blog/post/connecting-to-ldaps-with-self-signed-cert-using-python/ but the solution doesn't work out here.

Configuration as below:

tried three different server_address options, same error.

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'

#c.LDAPAuthenticator.server_address = 'xxx.xxx.xxx.xxx'

#c.LDAPAuthenticator.server_address = 'nydc-dc01.company.pri'

c.LDAPAuthenticator.server_address = 'ldaps://nydc-dc01.company.pri'

c.LDAPAuthenticator.use_ssl = True

c.LDAPAuthenticator.server_port = 636

c.LDAPAuthenticator.bind_dn_template = []

c.LDAPAuthenticator.user_search_base = 'OU=CompanyOU Users,DC=CompanyDC,DC=pri'

c.LDAPAuthenticator.user_attribute = 'sAMAccountName'

c.LDAPAuthenticator.lookup_dn = True

c.LDAPAuthenticator.lookup_dn_search_user = 'CN=ldapbind2,OU=Company Users (System),DC=CompanyDC,DC=pri'

c.LDAPAuthenticator.lookup_dn_search_password = 'xxxxxxxxxxxxxxxxx'

c.LDAPAuthenticator.allowed_groups = ['CN=wfgo-0081,OU=company Groups,DC=company,DC=pri']

It would be greatly appreciated if anyone can share any light here.

------------------------------------------------

Sincerely yours,

Raymond

Roland Weber

unread,

Sep 18, 2018, 2:11:17 AM9/18/18

to Project Jupyter

Hello Raymond,

in the link you posted, the author decided to ignore the server certificate. While this is a common "solution" for accepting non-default certificates, it is also insecure.

On a high level, you need to tell the TLS/SSL logic to trust the certificate which the administrator gave you. This can either be done by adding the certificate to the default trust store, or by specifying a custom trust store with that certificate when opening the LDAPS connection. I'd prefer the second approach, because that certificate is only useful for the LDAPS connections.

For the first approach, you'll need to figure out which trust store is being used. If it is the one from the certifi package, you can update it as described here:

https://incognitjoe.github.io/adding-certs-to-requests.html

For the second approach, this is where the LDAP connection is being opened:

https://github.com/jupyterhub/ldapauthenticator/blob/master/ldapauthenticator/ldapauthenticator.py#L276

And here's some documentation for configuring TLS with ldap3:

https://ldap3.readthedocs.io/ssltls.html

I'm afraid there's a gap here, because the code uses a Connection object, while the documentation talks about a Server object. But maybe someone more familiar with the APIs can provide further guidance.

hope this helps,

Roland

Dave Hirschfeld

unread,

Sep 18, 2018, 7:02:43 AM9/18/18

to Project Jupyter

https://github.com/jupyterhub/ldapauthenticator/pull/87

Reply all

Reply to author

Forward