问题描述
我使用Docker(https://github.com/osixia/docker-openldap)设置LDAP服务器,并在同一台计算机上安装了Jupyterhub。不幸的是,LDAP服务器与JupyterHub之间的连接无法正常工作。这些是与jupyterhub_config.py中的LDAP身份验证相对应的行:
c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
c.LDAPAuthenticator.server_address = '192.168.48.2' # Docker Container IP of openldap
c.LDAPAuthenticator.lookup_dn = True
c.LDAPAuthenticator.use_ssl = False
# c.LDAPAuthenticator.bind_dn_template = ["cn={username},dc=example,dc=com"]
(在最后两行之间切换没有区别。)
当我尝试在JupyterHub登录页面登录时,弹出以下错误消息:
ldap3.core.exceptions.LDAPSocketSendError: socket sending error[Errno 32] broken pipe
我可以使用ldapsearch从命令行“访问” LDAP数据库:
ldapsearch -x -H ldap://192.168.48.2 -b dc=example,dc=com -D "cn=admin,dc=com" -w password
禁用防火墙也没有什么区别(正在考虑Docker(openldap)和jupyterhub之间的某些网络问题)。
jupyterhub==1.1.0
jupyterhub-ldapauthenticator==1.3.2
我能够在JupyterHub之外使用ldap3重现此问题:
# Get IP of dockerized OpenLDAP
import docker
client = docker.DockerClient()
container = client.containers.get("openldap")
ip_add = container.attrs['NetworkSettings']['Networks']['ldap_default']['IPAddress']
# Check Connection
from ldap3 import Server,Connection,ALL
server = Server(ip_add,use_ssl=False,port=389)
conn = Connection(server)
print(conn.bind(read_server_info=True))
> True
当我现在将ssl=False替换为ssl=True时,它会返回与JupyterHub相同的错误:
# Check Connection
from ldap3 import Server,use_ssl=True,port=636
conn = Connection(server)
print(conn.bind(read_server_info=True))
Traceback (most recent call last):
File "test_connection.py",line 11,in <module>
print(conn.bind(read_server_info=True))
File "/opt/anaconda3/lib/python3.8/site-packages/ldap3/core/connection.py",line 590,in bind
response = self.post_send_single_response(self.send('bindRequest',request,controls))
File "/opt/anaconda3/lib/python3.8/site-packages/ldap3/strategy/base.py",line 330,in send
self.sending(ldap_message)
File "/opt/anaconda3/lib/python3.8/site-packages/ldap3/strategy/base.py",line 882,in sending
raise communication_exception_factory(LDAPSocketSendError,type(e)(str(e)))(self.connection.last_error)
ldap3.core.exceptions.LDAPSocketSendError: socket sending error[Errno 32] broken pipe
似乎这与SSL / TLS / StartTLS有关。如果我在ssl中禁用了jupyterhub_config.py,则身份验证器将(尝试)使用StartTLS进行升级。
LDAPAuthenticator.use_ssl
布尔值,用于指定在与服务器联系时是否使用SSL加密 LDAP服务器。如果将其保留为False(默认),则LDAPAuthenticator 将尝试升级与StartTLS的连接。将此设置为True 启动SSL连接。 (URL:https://github.com/jupyterhub/ldapauthenticator:)
解决方法
尝试替换:
c.LDAPAuthenticator.server_address= 'ldaps://192.168.48.2:636' or 'ladp://192.168.48.2:389'
636和389是ldap和ldap的默认端口