Active Directory user matching issue

[tdq132]

Hi,

I have been able to successfully authenticate some users in JupyterHub against our Active Directory.

I am encountering an issue authenticating users who have multiple AD accounts with similar names.

For example, I have 3 AD accounts - tom, la-tom, and do-tom. It seems like the authentication plugin is doing a fuzzy match on the entered username and not an exact match.

When I user attempt to log in using tom, the authentication plugin fails, stating the password is incorrect. But I am able to successfully log in using la-tom and do-tom, as these are specific enough to avoid the fuzzy match picking up any other account.

The current configuration looks like this (based on #54):

import os, sys, subprocess
config_dir = os.path.dirname(os.path.abspath(__file__))

from ldapauthenticator import LDAPAuthenticator
class MyAuthenticator(LDAPAuthenticator):
        def add_user(self, user):
                super().add_user(user)
                script_path = os.path.join(config_dir, "add_user.sh")
                subprocess.check_call(['bash', script_path, user.name])

c.JupyterHub.authenticator_class = MyAuthenticator

c.MyAuthenticator.server_address = '192.168.152.13'
c.MyAuthenticator.bind_dn_template = '{username}'
c.MyAuthenticator.lookup_dn = True
c.MyAuthenticator.use_ssl = False
c.MyAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.MyAuthenticator.lookup_dn_search_user = 'svc-xxxxxxx'
c.MyAuthenticator.lookup_dn_search_password = 'xxxxxxx'
c.MyAuthenticator.user_attribute = 'sAMAccountName'
c.MyAuthenticator.user_search_base = 'DC=xxxx-xxxx,DC=co,DC=nz'
c.MyAuthenticator.lookup_dn_user_dn_attribute = 'cn'

Error message logged:
[W 2019-03-27 15:08:15.541 JupyterHub ldapauthenticator:379] Invalid password for user tom

Appreciate any help that could be provided!

Thank you

[dhirschfeld]

Are you sure user_search_base = 'DC=xxxx-xxxx,DC=co,DC=nz'is correct for all your different samid's

[dhirschfeld]

You can see the full Distinguished Name (DN) for each samid using

dsquery user -samid tom
dsquery user -samid la-tom
dsquery user -samid ldo-tom

e.g.

> dsquery user -samid dhirschfeld
"CN=David Hirschfeld,OU=XXXX,OU=YYYY,DC=ZZZZ,DC=com"

[dhirschfeld]

Your bind_dn_template looks suspicious:

c.MyAuthenticator.bind_dn_template = '{username}'

Your username (samid) isn't a DN - e.g. in the example I gave above my bind_dn_template would be:

c.MyAuthenticator.bind_dn_template = "CN={username},OU=XXXX,OU=YYYY,DC=ZZZZ,DC=com"

I login with my samid (dhirschfeld) and because lookup_dn = True my CN (lookup_dn_user_dn_attribute = 'cn') will be looked up in Active Directory and substituted for the variable username

I hope that makes sense and helps you sort out the configuration!

[tdq132]

Hi Dave,

Thanks for the response!

I managed to get it working by updating the bind_dn_template to include the required DN text for each OU the end-users belong to:

c.MyAuthenticator.bind_dn_template = [
        'CN={username},OU=Users,OU=Corporate,DC=xxxx-xxxx,DC=co,DC=nz',
        'CN={username},OU=Users,OU=Retail,DC=xxxx-xxxx,DC=co,DC=nz',
        'CN={username},OU=User Accounts,OU=Restricted,DC=xxxx-xxxx,DC=co,DC=nz']

I left user_search_base at the higher DC level as it would only let me specify a single string (unlike bind_dn_template where we can have multiple). This seems to be the only way to allow users from the 3 different OU's to sign in:
c.MyAuthenticator.user_search_base = 'DC=xxxx-xxxx,DC=co,DC=nz'

Thanks again for your help!