ldapauthenticator: ldap3.core.exceptions.LDAPStartTLSError: automatic start_tls befored bind not successful

Bug description

A JupyterHub configuration that has worked in the past stopped working after I have pulled the newest library versions.

Expected behaviour

My previous configuration continues to work.

Actual behaviour

LDAP login leads to the exception ldap3.core.exceptions.LDAPStartTLSError: automatic start_tls befored bind not successful with the following stacktrace

[E 2020-08-10 16:12:04.735 JupyterHub web:1670] Uncaught exception POST /hub/login?next= (134.28.117.8)
    HTTPServerRequest(protocol='http', host='XXXX', method='POST', uri='/hub/login?next=', version='HTTP/1.1', remote_ip='134.28.117.8')
    Traceback (most recent call last):
      File "/opt/conda/lib/python3.6/site-packages/tornado/web.py", line 1592, in _execute
        result = yield result
      File "/opt/conda/lib/python3.6/site-packages/jupyterhub/handlers/login.py", line 81, in post
        user = await self.login_user(data)
      File "/opt/conda/lib/python3.6/site-packages/jupyterhub/handlers/base.py", line 473, in login_user
        authenticated = await self.authenticate(data)
      File "/opt/conda/lib/python3.6/site-packages/jupyterhub/auth.py", line 257, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/opt/conda/lib/python3.6/types.py", line 248, in wrapped
        coro = func(*args, **kwargs)
      File "/opt/conda/lib/python3.6/site-packages/ldapauthenticator/ldapauthenticator.py", line 382, in authenticate
        conn = self.get_connection(userdn, password)
      File "/opt/conda/lib/python3.6/site-packages/ldapauthenticator/ldapauthenticator.py", line 315, in get_connection
        server, user=userdn, password=password, auto_bind=auto_bind
      File "/opt/conda/lib/python3.6/site-packages/ldap3/core/connection.py", line 356, in __init__
        self._do_auto_bind()
      File "/opt/conda/lib/python3.6/site-packages/ldap3/core/connection.py", line 391, in _do_auto_bind
        raise LDAPStartTLSError(error)
    ldap3.core.exceptions.LDAPStartTLSError: automatic start_tls befored bind not successful

How to reproduce

I used the simple config lines:

c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = 'ldaps://XXX'
c.LDAPAuthenticator.bind_dn_template = [
    "uid={username},ou=people,dc=XXX,dc=de"
]
c.LDAPAuthenticator.use_ssl = True

Your personal set up

  • OS: Ubuntu
  • Version: latest

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 28 (19 by maintainers)

Commits related to this issue

Most upvoted comments

I’ve just released https://pypi.org/project/jupyterhub-ldapauthenticator/1.3.1/ with @1kastner’s PR to limit the version of ldap3. Hopefully we’ll have a proper fix soon.

+2
manics on Aug 13, 2020

I’ll try redeploying my Jupyterhub and pinning ldap3 lib to 2.7 version to see if it works. Thanks for the analysis.

Pinning ldap3 to 2.7 in the Python environment where the Jupyterhub is started did the trick for me.

+2
guillaumeeb on Aug 11, 2020

Hi, how did you select the version 2.7 for ldap3? I mean in which part do you specified the version to use? thanks for your help.

It pretty much depends on how you run the JupyterHub. You don’t even need to store it somewhere but instead just install the older ldap3 version manually where it is needed.

If you use docker, you could for example take this JupyterHub Dockerfile and use pip to install the right version (see here) for how to fix a version.

FROM jupyterhub/jupyterhub:0.9.4

ADD jupyterhub_config.py /srv/jupyterhub/jupyterhub_config.py

RUN pip install dockerspawner jupyterhub-ldapauthenticator ldap3==2.7

Thanks for the insight, I was able to use version 2.7 for ldap3.

+1
oharach1 on Aug 12, 2020
Read more comments on GitHub
← ldapauthenticator: ldap3.core.exceptions.LDAPStartTLSError
nbgitpuller: executable file not found error →