Open
Description
Bug description
Using a directory service like FreeIPA that allows nested groups, if a nested group is added to c.LDAPAuthenticator.allowed_groups
the indirect members (i.e. members of child groups) are not granted access to Jupyter services.
Expected behaviour
We expected indirect group members to be allowed access to jupyterhub services
Actual behaviour
Access is denied.
How to reproduce
- Create two groups in the LDAP directory A and B
- Add a user to group B
- Add group B as a member group of group A
- Set group A as an allowed group using
c.LDAPAuthenticator.allowed_groups
injupyterhub_config.py
- Restart jupyterhub
- Attempt to login as the user added to group B
Your personal set up
- OS: CentOS7
- Version: 2.2.6
- Configuration: Diff from default config
# diff /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py.default
98,114d97
< c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
<
< # LDAPAuthenticator settings
< c.LDAPAuthenticator.server_address = 'ipa01.example.org'
< c.LDAPAuthenticator.lookup_dn = False
< c.LDAPAuthenticator.user_attribute = 'uid'
< c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'uid'
< c.LDAPAuthenticator.user_search_base = 'cn=users,cn=accounts,dc=example,dc=org'
< c.LDAPAuthenticator.bind_dn_template = [ 'uid={username},cn=users,cn=accounts,,dc=example,dc=org' ]
< c.LDAPAuthenticator.allowed_groups = [
< 'cn=jupyter-users,cn=groups,cn=accounts,dc=example,dc=org'
< ]
<
123c106
<
---
> #c.JupyterHub.base_url = '/'
189d171
< c.JupyterHub.cookie_secret_file = '/opt/jupyterhub/etc/jupyterhub/jupyterhub_cookie_secret'
200d181
< c.JupyterHub.db_url = 'postgresql+psycopg2://jupyter:[email protected]:5432/jupyter'
390d370
< c.JupyterHub.named_server_limit_per_user = 5
404,405d383
< c.ConfigurableHTTPProxy.pid_file = '/localhome/jupyter/jupyter-proxy.pid'
<
493d470
< c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'
692,699d668
< # Open lab in home directory
< #c.Spawner.default_url = '/lab/tree/home/{username}'
< # Opens notebook in home directory
< #c.Spawner.default_url = '/tree/home/{username}'
< # Opens lab at /
< #c.Spawner.default_url = '/lab'
< # No links
< c.Spawner.default_url = '/lab/workspaces/lab/tree/home/{username}'
795d763
< c.Spawner.notebook_dir = '/'