add option to check allowed_groups with the configured ldap search user
#207
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
January 26, 2022 17:12
…f the search user instead of the ldap connection of the user being authenticated, see jupyterhub#183
… pr-183-use-search-user-to-check-allowed-groups
This was referenced Jan 27, 2022
|
Thanks for an excellent description of why this is relevant @tobi45! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This pull request adds the boolean option
use_search_user_to_check_groupswhich allows to switch the ldap user that is used to verify the membership of the user being authenticated with theallowed_groups. Its default value isFalseso that the behavior of the ldap authenticator is not changed.Thus, if
use_search_user_to_check_groupsis:False: the user being authenticated is used to check if she/he is member of one of theallowed_groups(current behavior)True: the configured search user is used to check if the user being authenticated is member of one of theallowed_groupsThis PR adresses #183.
Addressed Behavior
The plugin uses a so called search user to lookup the dn of the user to be authenticated. By doing so one connection is established to the ldap server. The authentication is done using an ldap bind which creates another connection to the server. Thus two connections to the ldap server are established with two different users: the search user and the user being authenticated.
Current Behavior
All subsequent ldap searches are performed with the connection of the authenticated user and not with the connection of the configured search user. Thus, the ldap query to check the
allowed_groupsis performed with the authenticated user instead of the search user.Behavior with this PR
As the default value of the option
use_search_user_to_check_groupsisFalsethe current behavior is not changed. If set toTruethe connection of the search user is used to check theallowed_groupsfor the user being authenticated.Background
Our organization follows a consequent security approach where ldap groups are used for authorization by member check. But there is no need that the groups are itself accessible by the members. The users just don't have the permission to look up the ldap groups. In such a setting only the configured ldap search user has such permissions.
Outline of Changes
use_search_user_to_check_groupsconnectionto method signature ofresolve_usernameresolve_usernameinto methodauthenticateto have the connection object with the search user available in methodauthenticateauthenticateto outline whats going onconnectIon_userorconnection_searchto separate the connections of both usersUnfortunately I am not an ldap admin and couldn't provide an ldap server setup with such permissions set on an ldap test server. Instead to test the introduced ldap authenticator option I opted to mock the ldap connection objects and check if they are called appropriately.
I can confirm that it works with juypterhub 2.1.1.