Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tls_strategy and deprecate use_ssl #258

Merged
merged 4 commits into from
Sep 16, 2024
Merged

Add tls_strategy and deprecate use_ssl #258

merged 4 commits into from
Sep 16, 2024

Conversation

consideRatio
Copy link
Member

@consideRatio consideRatio commented Sep 15, 2024
edited
Loading

With tls_strategy we have three choices on how to secure our connection to the LDAP server. B

  • "on_connect", it is "use_ssl=True" implied
  • "before_bind", it is what "use_ssl=False" implied
  • "insecure", this wasn't an option before, but has been requested by users.

@consideRatio consideRatio mentioned this pull request Sep 15, 2024
Closed
@consideRatio consideRatio changed the title Add tls_strategy and deprecate use_ssl Add tls_strategy and deprecate use_ssl Sep 15, 2024
@consideRatio consideRatio mentioned this pull request Sep 15, 2024
Closed
@consideRatio
Copy link
Member Author

@loic-vial what do you think about this PR? I hope to resolve your issue with an alternative approach, deprecating use_ssl and introducing a config with multiple choices - among them being "insecure", instead of having both use_ssl and use_tls which felt a bit hard to understand.

This was referenced Sep 15, 2024
Closed
Closed
manics
manics reviewed Sep 15, 2024
View reviewed changes
ldapauthenticator/tests/test_ldapauthenticator.py
@@ -58,7 +58,26 @@ async def test_ldap_auth_blank_template(authenticator):

async def test_ldap_auth_ssl(authenticator):
authenticator.use_ssl = True
authenticator.server_port = 636

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment to these two tests saying we're not actually verifying SSL or TLS? for example if someone were to incorrectly modify the tls_strategy logic these tests would still pass.

Copy link
Member Author

@consideRatio consideRatio Sep 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point! I pushed df38bd1 and df67ba7

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after rebase: f89de63 d6178bc

@loic-vial
Copy link

Hi @consideRatio ! This seems perfect, nice and clean 😄 I did not test it but I'm pretty sure the "before_bind" option will fit our case :)
I will confirm when I have some time but in the meantime I think it's safe to close my PR in favor of this one which is cleaner

consideRatio and others added 4 commits September 16, 2024 13:38
@consideRatio
Add tls_strategy and deprecate use_ssl
f8a2f75 
With `tls_strategy` we have three choices on how to secure our
connection to the LDAP server.

- "on_connect", it is "use_ssl=True" implied
- "before_bind", it is what "use_ssl=False" implied
- "insecure", this wasn't an option before, but has been requested by
  users.
@consideRatio
Add docstrings to two tests about tls_strategy
f89de63
@consideRatio
Adjust use_ssl test to check deprecation logics function
d6178bc
@consideRatio
docs: add get_connection docstring
537d012
@consideRatio
Copy link
Member Author

consideRatio commented Sep 16, 2024
edited
Loading

Thank you for the feedback @loic-vial and working towards this in the first place!!

Did a self-review and fixed some docs formatting and added a docstring for get_connection -- going for a self-merge here to keep up the maintenance momentum

@consideRatio consideRatio merged commit 1d9d0d5 into jupyterhub:main Sep 16, 2024
5 of 7 checks passed
@1kastner
Copy link
Contributor

Thank you @consideRatio for incorporating these changes!

@consideRatio consideRatio mentioned this pull request Sep 19, 2024
Merged
@ragul-inv
Copy link

ragul-inv commented Oct 8, 2024
edited
Loading

Hi,

Below is my Jupyterhub config. I have configured it in an AWS EC2 machine using TLJH. I have used the tls_strategy = "insecure".

I am using AWS AD (Without TLS). Getting the below error when I tried to log in as an AD user

`python3[3071]:     HTTPServerRequest(protocol='https', host='note.example.org.io', method='POST', uri='/hub/login?next=%2Fhub%2F', version='HTTP/1.1', remote_ip='223.185.24.125') Traceback (most recent call last):

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/tornado/web.py", line 1790, in _execute  result = await result

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/jupyterhub/handlers/login.py", line 163, in post user = await self.login_user(data)
python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/jupyterhub/handlers/base.py", line 928, in login_user authenticated = await self.authenticate(data)

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/jupyterhub/auth.py", line 493, in get_authenticated_user  authenticated = await maybe_future(self.authenticate(handler, data))

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldapauthenticator/ldapauthenticator.py", line 361, in authenticate username, resolved_dn = self.resolve_username(username)

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldapauthenticator/ldapauthenticator.py", line 236, in resolve_username conn = self.get_connection(

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldapauthenticator/ldapauthenticator.py", line 314, in get_connection  conn = ldap3.Connection(

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/connection.py", line 363, in __init__  self._do_auto_bind()

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/connection.py", line 391, in _do_auto_bind
if self.start_tls(read_server_info=False):

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/connection.py", line 1314, in start_tls

if self.server.tls.start_tls(self) and self.strategy.sync:  # for asynchronous connections _start_tls is run by the strategy

python3[3071]:       File "/opt/tljh/hub/lib/python3.12/site-packages/ldap3/core/tls.py", line 277, in start_tls
raise LDAPStartTLSError(connection.last_error)

python3[3071]:     ldap3.core.exceptions.LDAPStartTLSError: startTLS failed - unavailable`

config.yaml
`users:
admin:

  • admin
    auth:
    type: ldapauthenticator.LDAPAuthenticator
    LDAPAuthenticator:
    server_address: ldap://example.org.io
    bind_dn_template: uid={username},ou=Users,ou=example,dc=example,dc=org,dc=io
    lookup_dn_search_filter: ({login_attr}={login})
    lookup_dn_search_user: CN=admin,OU=Users,OU=example,DC=example,DC=org,DC=io
    lookup_dn_search_password: adminRFs1!
    lookup_dn: true
    server_port: 389
    tls_strategy: insecure
    https:
    enabled: true
    letsencrypt:
    email: [email protected]
    domains:
    • note.example.org.io`

Am I missing anything?

Thanks

@consideRatio
Copy link
Member Author

I think it could be a failure where the tljh config isnt propegating that properly, can you try to configure this kot using tljh's custom config, but instead using jupyterhub config directly? I'm on mobile and cant search and link you a documentation reference :/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manics manics manics left review comments

Assignees
No one assigned
Labels
new
Projects
None yet
Milestone
No milestone
5 participants
@consideRatio @loic-vial @1kastner @ragul-inv @manics