ldapauthenticator: ldap3.core.exceptions.LDAPStartTLSError

Bug description

LDAP authentication works just fine with JupyterHub version 0.9.x and this configuration:

auth:
  type: ldap
  ldap:
    server:
      address: ldap.example.org
    dn:
      templates:
        - 'uid={username},ou=People,dc=example,dc=org'

However, I found that versions 0.10+ of JupyterHub produce the following error in the hub’s pod:

ldap3.core.exceptions.LDAPStartTLSError: ('wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123)',)

with the equivalent LDAP configuration

hub:
  config:
    JupyterHub:
      authenticator_class: ldapauthenticator.LDAPAuthenticator
    LDAPAuthenticator:
      bind_dn_template:
        - uid={username},ou=People,dc=example,dc=org
      server_address: ldap.example.org

Expected behaviour

Our LDAP server hasn’t changed so we would expect ldapauthenticator version 1.3.2 to work like version 1.3.0.

Actual behaviour

LDAP authentication with ldapauthenticator version 1.3.2 shouldn’t produce the exception above.

How to reproduce

  1. Configure values.yaml with LDAP authentication
  2. Deploy JupyterHub version 0.10 or above
  3. Try to login to JupyterHub after deployment
  4. See error with kubectl logs pod/hub-69fdcf79b7-xr946 | grep -i ldap

Your personal set up

  • OS: Kubernetes cluster deployed with Magnum on OpenStack Train OS: fedora-coreos-32.20200629.3.0

  • Version(s): JupyterHub 0.9 installs ldapauthenticator version 1.3.0 JupyterHub 0.10 installs ldapauthenticator version 1.3.2 JupyterHub 0.11 installs ldapauthenticator version 1.3.2

I am always using zero-to-jupyterhub deployment.

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Comments: 17 (7 by maintainers)

Most upvoted comments

I got the same issue solved by this https://stackoverflow.com/questions/61568215/openssl-v1-1-1-ubuntu-20-tlsv1-no-protocols-available

yaml file like this:

hub:
  extraEnv:
    OPENSSL_CONF: '/data/tls1.cnf'
  
  extraVolumes:
    - name: openssl-1
      hostPath:
        path: /data/tls1.cnf

  extraVolumeMounts:
    - name: openssl-1
      mountPath: /data/tls1.cnf

put the “tls1.cnf” into k8s node

in my case sloved, hope helpful.

+3
M0025 on Jul 30, 2021

I am not sure who to include into this discussion who has deeper insights into the specifica of ldap3 and their underlying libraries. This ldapauthenticator library is only scratching at the surface. Only little configuration is offered to the users.

I have heard of people who took another path: They used the default authenticator of JupyterHub and they configured the Linux login procedure in a way that it used LDAP for authentication. You could google ldap pam authentication linux and then check which of the solutions might be applicable in your case. That would be an option of how to bypass this problem.

+2
1kastner on Mar 28, 2021
Read more comments on GitHub
← kubespawner: kubespawner stopped working after kubernetes upgrade from 1.15 to 1.16
ldapauthenticator: ldap3.core.exceptions.LDAPStartTLSError: automatic start_tls befored bind not successful →