You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/12/01 06:27:34 UTC
[GitHub] [airflow] HwiLu opened a new issue, #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER `,but works with `auth_ldap_bind_user`
HwiLu opened a new issue, #28026:
URL: https://github.com/apache/airflow/issues/28026
### Apache Airflow version
Other Airflow 2 version (please specify below)
### What happened
When I config `webserver_config.py` with ` AUTH_LDAP_BIND_USER` and `AUTH_LDAP_BIND_PASSWORD` like offical documents shows, to login webserver will throw errors like below,but if I config `auth_ldap_bind_user` which is lowercase, I can login webserver without error.
The final configuration is below and it works. I have tested this strange phenomenon many times, and it shows that is true.
>[2022-11-30 17:51:51,022] {manager.py:994} ERROR - AUTH_LDAP_BIND_USER and AUTH_LDAP_BIND_PASSWORD are not valid LDAP bind credentials
[2022-11-30 17:51:51,023] {manager.py:1201} ERROR - {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563'}
```py
# AUTH_OAUTH : Is for OAuth
AUTH_TYPE = AUTH_LDAP
AUTH_ROLE_ADMIN = 'Admin'
AUTH_ROLE_PUBLIC = 'Public'
AUTH_LDAP_SERVER = "ldap://192.168.11.211:389"
AUTH_LDAP_USE_TLS = False
# registration configs
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
AUTH_LDAP_LASTNAME_FIELD = "sn"
AUTH_LDAP_EMAIL_FIELD = "mail"
#AUTH_LDAP_USERNAME_FORMAT = "uid=%s,ou=AI-FPT,ou=iea,dc=iea,dc=com"
AUTH_LDAP_APPEND_DOMAIN = "iea.com"
# search configs
AUTH_LDAP_SEARCH = "OU=AI-FPT,OU=iea,DC=iea,DC=com"
#AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=gitlab-users,ou=AI-FPT,ou=iea,dc=iea,dc=com)"
AUTH_LDAP_UID_FIELD = "sAMAccountName"
auth_ldap_bind_user = "CN=zeppelinadmin,OU=AI-FPT,OU=idea,DC=iea,DC=com"
auth_ldap_bind_password = ''
#AUTH_LDAP_BIND_USER = "CN=zeppelinadmin,OU=AI-FPT,OU=iea,DC=iea,DC=com"
#AUTH_LDAP_BIND_PASSWORD = ""
AUTH_ROLES_MAPPING = {
"CN=gitlab-users,OU=AI-FPT,OU=iea,DC=iea,DC=com": ["User"],
"CN=zeppelinadmins,OU=AI-FPT,OU=iea,DC=iea,DC=com": ["Admin"],
}
AUTH_LDAP_GROUP_FIELD = "memberOf"
AUTH_ROLES_SYNC_AT_LOGIN = True
PERMANENT_SESSION_LIFETIME = 1800
```
### What you think should happen instead
` AUTH_LDAP_BIND_USER` which is upper case should work.
### How to reproduce
config `webserver_config.py` with `auth_ldap_bind_user` instead of `AUTH_LDAP_BIND_USER`, restart webserver and try to login
### Operating System
[root@hadoop-180-91 airflow]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
### Versions of Apache Airflow Providers
[root@hadoop-180-91 airflow]# pip freeze | grep apache-airflow
apache-airflow==2.3.4
apache-airflow-providers-common-sql==1.3.0
apache-airflow-providers-ftp==3.2.0
apache-airflow-providers-http==4.1.0
apache-airflow-providers-imap==3.1.0
apache-airflow-providers-sqlite==3.3.0
[root@hadoop-180-91 airflow]#
### Deployment
Other
### Deployment details
_No response_
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] HwiLu commented on issue #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER` but with `auth_ldap_bind_user`
Posted by GitBox <gi...@apache.org>.
HwiLu commented on issue #28026:
URL: https://github.com/apache/airflow/issues/28026#issuecomment-1335004082
It is MS Active Directory. I will check my setup again ,thank you.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] eladkal closed issue #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER` but with `auth_ldap_bind_user`
Posted by GitBox <gi...@apache.org>.
eladkal closed issue #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER` but with `auth_ldap_bind_user`
URL: https://github.com/apache/airflow/issues/28026
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Taragolis commented on issue #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER` but with `auth_ldap_bind_user`
Posted by GitBox <gi...@apache.org>.
Taragolis commented on issue #28026:
URL: https://github.com/apache/airflow/issues/28026#issuecomment-1334830090
This more refers to LDAP protocol and its implementation rather than Airflow itself
- Is this MS Active Directory or OpenLDAP
- How it actually implemented in python: https://www.python-ldap.org/en/python-ldap-3.4.3/resources.html
- How it implemented in FAB (Flask App Builder): https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] Taragolis commented on issue #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER` but with `auth_ldap_bind_user`
Posted by GitBox <gi...@apache.org>.
Taragolis commented on issue #28026:
URL: https://github.com/apache/airflow/issues/28026#issuecomment-1333567274
According to error code **49** and hex data **52e** this error refers to [invalid password](https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors)
When you setup `auth_ldap_bind_user` instead of `AUTH_LDAP_BIND_USER` you disable "indirect binding", see:
https://github.com/apache/airflow/blob/2.3.4/airflow/www/fab_security/manager.py#L1086
You could also setup [[logging] logging_level](https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#logging-level) to DEBUG and after that you should see in logs that you use `AUTH_LDAP_BIND_USER`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] HwiLu commented on issue #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER` but with `auth_ldap_bind_user`
Posted by GitBox <gi...@apache.org>.
HwiLu commented on issue #28026:
URL: https://github.com/apache/airflow/issues/28026#issuecomment-1334687100
It still shows the same error
```
192.168.208.171 - - [02/Dec/2022:10:26:50 +0800] "GET /static/pin_32.png HTTP/1.1" 304 0 "http://hadoop-180-91:8086/login/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
[2022-12-02 10:26:57,565] {manager.py:990} DEBUG - LDAP bind indirect TRY with username: 'CN=zeppelinadmin,OU=AI-FPT,OU=idea,DC=idea,DC=com'
[2022-12-02 10:26:57,567] {manager.py:994} ERROR - AUTH_LDAP_BIND_USER and AUTH_LDAP_BIND_PASSWORD are not valid LDAP bind credentials
[2022-12-02 10:26:57,567] {manager.py:1201} ERROR - {'msgtype': 97, 'msgid': 1, 'result': 49, 'desc': 'Invalid credentials', 'ctrls': [], 'info': '80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563'}
192.168.208.171 - - [02/Dec/2022:10:26:57 +0800] "POST /login/ HTTP/1.1" 302 201 "http://hadoop-180-91:8086/login/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"
```
I am sure the username and password of zeppelinadmin is right,because our Apache Zeppelin was integratd with AD using this user. Is there any configuration missed by me?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] boring-cyborg[bot] commented on issue #28026: webserver login does not work by AD with config `AUTH_LDAP_BIND_USER `,but works with `auth_ldap_bind_user`
Posted by GitBox <gi...@apache.org>.
boring-cyborg[bot] commented on issue #28026:
URL: https://github.com/apache/airflow/issues/28026#issuecomment-1333274744
Thanks for opening your first issue here! Be sure to follow the issue template!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org