Jupyterhub with Active Directory & Shared Folder

[ixxie]

Having read through issues #32 and #36, I set out to try hook the LDAPAuthenticator into realmd and SSSD in order to allow Active Directory users to authenticate on Jupyterhub on a CentOS 7 machine, automatically adding missing users; so far this seems to work! As a bonus, I configured a shared directory between the users, to allow them to share notebooks.

@minrk helped me enormously, most of the ideas here came from him.

Perhaps some of this should be included in the README or elsewhere in the documentation?

Jupyterhub Config

The jupyterhub_config.py should include the following:

import os, sys, subprocess                                            
config_dir = os.path.dirname(os.path.abspath(__file__)) 

# Extend the LDAPAuthenticator with a custom add_user method
# add_user.sh should be in the same directory as jupyterhub_config.py
# (mostly by @minrk)

from ldapauthenticator import LDAPAuthenticator 
class MyAuthenticator(LDAPAuthenticator):      
    def add_user(self, user):             
	super().add_user(user)
        script_path = os.path.join(config_dir, "add_user.sh")      
        subprocess.check_call(['bash', script_path, user.name])
                                  
# Use the custom authenticator; no quotes!
c.JupyterHub.authenticator_class = MyAuthenticator            

# see issue #32
# you can also use c.LDAPAuthenticator for all of these (matter of style)

c.MyAuthenticator.server_address = 'myadserver'                   
c.MyAuthenticator.bind_dn_template = '{username}'         
c.MyAuthenticator.lookup_dn = True          
c.MyAuthenticator.use_ssl = False                
c.MyAuthenticator.lookup_dn_search_filter = '({login_attr}={login})'
c.MyAuthenticator.lookup_dn_search_user = 'ldapsearchuser'          
c.MyAuthenticator.lookup_dn_search_password = 'ldapsearchpassword'  
c.MyAuthenticator.user_attribute = 'sAMAccountName'             
c.MyAuthenticator.user_search_base = 'ou=Org users,dc=domainorg,dc=local' 
c.MyAuthenticator.lookup_dn_user_dn_attribute = 'cn'
c.MyAuthenticator.admin_users = {'adminuser'}          
          
c.Spawner.notebook_dir = '~/notebooks'  

Script

In my case, add_user.sh looks like this:

#!/usr/bin/env bash

user=$1  
userhome="/home/ad-domain/${user}"

# add_user should be idempotent, so we test if the user home directory is there
if [ ! -d "${userhome}" ]; then    

     # Use realmd to add the user
     realm permit ${user}                   

     # Create home directory       
     mkdir "${userhome}"              
     chown "${user}:domain users" "${userhome}"   

     # Add user to the sharedfolder group
     usermod -aG sharedfolder ${user}

     # Create notebook directory and symlink the datalab folder into it
     mkdir ${userhome}/notebooks  
     chown ${user}:domain\ users ${userhome}/notebooks -R  

     # Symlink a shared folder into the user notebook directory
     ln -s /home/sharedfolder ${userhome}/notebooks/sharedfolder
fi     

Realmd and SSSD

For this to work you need to set up realmd, a frontend for SSSD. I follow the Red Hat guide for doing this. The only modification I manually made to /etc/sssd/sssd.conf are to set:

use_fully_qualified_names = False
fallback_homedir = /home/ad-domain/%u

The former due to a problem with SSSD accepting the AD username format and the latter because I preferred putting all my AD users in one folder (if you don't want this edit ${userhome} in the script above accordingly).

Sharedfolder

To make the shared folder work as expected, you need to set permissions correctly, set group ownership of the folder to the sharedfolder group, set the setguid bit of the folder on, and make sure new files will have the right permissions. I did this as follows:

# Set ownership to the administrator and sharedfolder group
sudo chown -R folderadmin:sharedfolder /home/sharedfolder

# Set the setguid bit
sudo chmod g+s /home/sharedfolder

# Apply the correct group permissions to the folder
sudo chmod -R g+rwX /home/sharedfolder

# Make sure all new files added to the folder get the right permissions
sudo setfacl -d -m g:sharedfolder:rwX /home/sharedfolder

(I am a little fuzzy about this last bit, so if there are errors here please correct me!)

[dhirschfeld]

Thanks for sharing @ixxie! I've added the reference label so it can be referred to in future but will close this issue now as it's not something which needs fixing.

[asuchit]

Can someone help me that ...

How to get the user home directory from ldap in the script for creating this home directory and give permissions to this home directory ?