-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User CN name lookup with specific query #32
Conversation
+1 for this PR |
@@ -161,7 +249,7 @@ def getConnection(userdn, username, password): | |||
username=username, | |||
userdn=userdn | |||
)) | |||
conn = ldap3.Connection(server, user=userdn, password=password) | |||
conn = ldap3.Connection(server, user=escape_filter_chars(userdn), password=password) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Escaping filter chars from userdn can make the valid userdn invalid, e.g. escaping "(" or ")" which are valid characters for this parameter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I had problem with ldap3.Connection() for non-escaped '(' and ')'. At least for Active Directory - I don't know how it would work for other implementations.
In my case ldap3.Connection().bind() failed with error message saying claiming that authentication failed when user parameter had '(' or ')' in it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fascinating. For us it was the inverse - we had to remove the escaping because the escaped parentheses caused problems. We're using AD, too.
According to https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx '(' and ')' do not belong to the characters to be escaped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For us it requires to be without the "escape_filter_chars()" function. We have usernames that have a dash in them, like foo-bar. Does not work with the escape wrapper, but does work without it.
Other than my comment regarding "escape_filter_char": +1 Thanks @mateuszboryn , this was very helpful for our project. |
Thanks for this pull request! It allowed me to make this plugin work with our Active Directory server.
It would be nice to have this merged. |
Worked for us as well, please merge this (without the escape_filter_chars() part). |
I'm going to add new parameter that controls escape_filter_chars(). I think this will quick solution. |
Escaping userdn fixed. Now there is an option that enables escaping. This new option defaults to False. |
will this be added to the main repo? looks like a solid idea/improvement. |
@mateuszboryn, I thought I could just use |
I tried using updated "ldapauthenticator.py" file(https:////raw.githubusercontent.com/mateuszboryn/ldapauthenticator/ebbdfdbeaa199b08ebd00ac31c6904969080411d/ldapauthenticator/ldapauthenticator.py). But, I am unable to connect AD. Configuration details: c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator' It fails with : From the same server, I am able to fetch list of users with Is there anything wrong in the configuration ? |
ok. Its working with below configuration: c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator' When the changes will be merged in master branch? But, I need to manually create user on local system. If its not there then it fails with :
any suggestion ? |
@mateuszboryn thanks for this PR it's exactly what I needed. I can verify that I got this working as expected. @pbandark I used a combination of the changes proposed in this PR and those in PR#36. Combining them I was able to get both LDAP and the local user creation working. |
Thanks! Sorry for the delays on this repo. |
@beenje - did you get it to work by using something like realmd to automatically create user accounts on the Linux system? I am kind of at a loss as to why one would even use this plugin otherwise, since PR #36 wasn't accepted and it is recommended to use something like realmd to link up SSSD with the LDAP directory. It would be helpful to explain this clearly in the documentation, especially once this PR is released; explicit instructions for setting up Active Directory would also be handy for many I believe. Edit: I just saw there is some explanation of AD on the README, but it was just added today (sorry I missed it!) |
@ixxie I currently use my own fork: beenje@0c0583e Now that this was merged, I might try to submit a pull request. |
User CN name lookup with specific query and (non)anonymous ActiveDirectory search account.