Members of nested groups aren't allowed if only the parent group is listed under allowed_groups

[Aethylred]

Bug description

Using a directory service like FreeIPA that allows nested groups, if a nested group is added to c.LDAPAuthenticator.allowed_groups the indirect members (i.e. members of child groups) are not granted access to Jupyter services.

Expected behaviour

We expected indirect group members to be allowed access to jupyterhub services

Actual behaviour

Access is denied.

How to reproduce

1. Create two groups in the LDAP directory A and B
2. Add a user to group B
3. Add group B as a member group of group A
4. Set group A as an allowed group using c.LDAPAuthenticator.allowed_groups in jupyterhub_config.py
5. Restart jupyterhub
6. Attempt to login as the user added to group B

Your personal set up

• OS: CentOS7

• Version: 2.2.6

• Configuration: Diff from default config

# diff /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py /opt/jupyterhub/etc/jupyterhub/jupyterhub_config.py.default
98,114d97
< c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
<
< # LDAPAuthenticator settings
< c.LDAPAuthenticator.server_address = 'ipa01.example.org'
< c.LDAPAuthenticator.lookup_dn = False
< c.LDAPAuthenticator.user_attribute = 'uid'
< c.LDAPAuthenticator.lookup_dn_user_dn_attribute = 'uid'
< c.LDAPAuthenticator.user_search_base = 'cn=users,cn=accounts,dc=example,dc=org'
< c.LDAPAuthenticator.bind_dn_template = [ 'uid={username},cn=users,cn=accounts,,dc=example,dc=org' ]
< c.LDAPAuthenticator.allowed_groups = [
<     'cn=jupyter-users,cn=groups,cn=accounts,dc=example,dc=org'
< ]
<
123c106
<
---
> #c.JupyterHub.base_url = '/'
189d171
< c.JupyterHub.cookie_secret_file = '/opt/jupyterhub/etc/jupyterhub/jupyterhub_cookie_secret'
200d181
< c.JupyterHub.db_url = 'postgresql+psycopg2://jupyter:[email protected]:5432/jupyter'
390d370
< c.JupyterHub.named_server_limit_per_user = 5
404,405d383
< c.ConfigurableHTTPProxy.pid_file = '/localhome/jupyter/jupyter-proxy.pid'
<
493d470
< c.JupyterHub.spawner_class = 'sudospawner.SudoSpawner'
692,699d668
< # Open lab in home directory
< #c.Spawner.default_url = '/lab/tree/home/{username}'
< # Opens notebook in home directory
< #c.Spawner.default_url = '/tree/home/{username}'
< # Opens lab at /
< #c.Spawner.default_url = '/lab'
< # No links
< c.Spawner.default_url = '/lab/workspaces/lab/tree/home/{username}'
795d763
< c.Spawner.notebook_dir = '/'

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[dhirschfeld]

I think this is a dup of #148.

[Aethylred]

It does, looks like they'er covering nested groups in Active Directory, but may not cover the case for FreeIPA/Redhat Identity Manager/389 Directory Server

[Aethylred]

It may also be part of #94

[mk-raven]

Hello!
Any update of this issue?
We have the same problem, because have a lot of users and nested groups its nice solution