Set jupyterhub userid to be the same as uid from LDAP

[yuvipanda]

Makes it far less confusing when reasoning about 'user id' if they all were the same rather than referred to different things.

[akaihola]

We're also planning to do this with our dockerspawner based installation, in order to have proper ownership for notebooks on a shared volume.

On our company LDAP, in order to read the UID and other details of users, you actually have to bind using a special service account. If you bind with the user account you want to authenticate, there's no access to that kind of details.

Looking at LDAPAuthenticator.authenticate(), it currently doesn't seem to support this mode of operation. I wonder if it makes sense to extend ldapauthenticator or just make our own fork.

[yuvipanda]

@akaihola I think that's a common enough use case that we should support that mode operations. I'll welcome patches :)

[mateuszboryn]

You can take a look at #32 these changes give much flexibility for configuring Active Directory especially with technical user account.

[akaihola]

@yuvipanda we ended up copying ldapauthenticator and making our own modifications. It seemed to me that the way we need to authenticate and dig information out from LDAP wouldn't be easily supported and made configurable.

Here are the essential parts of our authentication mechanism:

        # Try to authenticate the user
        user_conn = ldap3.Connection(
            server,
            user=self.bind_dn_template.format(username=username),
            password=password)
        if not user_conn.bind():
            return None  # invalid password

        # User authentication succeeded, get the Unix UID and optionally
        # check group authorization
        conn = ldap3.Connection(server,
                                user=self.service_account_dn,
                                password=self.service_account_password)

        if conn.bind():
            # In some cases, like AD, we don't bind with the DN, and need to
            # discover it.
            conn.search(search_base=self.user_search_base,
                        search_scope=ldap3.SUBTREE,
                        search_filter='({userattr}={username})'.format(
                            userattr=self.user_attribute,
                            username=username),
                        attributes=[self.user_attribute, 'uidNumber'])

            if len(conn.response) == 0:
                self.log.warn('User with %s=%s not found in directory',
                              self.user_attribute, username)
                return None
            userdn = conn.response[0]['dn']
            entry = conn.entries[0]

            # The user attributes will be stored in users.state in the
            # database by our customized Docker spawner
            self.user_attributes = entry.entry_attributes_as_dict
            return username
        else:
            self.log.warn('Cannot bind to LDAP server using service account %s',
                          self.service_account_dn)
            return None

[JHibbard]

@akaihola Is your custom ldap / dockerspawner code available somewhere? I've been able to get LDAP + LocalProcessSpawner to work; but not LDAP + dockerspawner. It'd be a big help to the researchers I work with.

[akaihola]

@JHibbard sorry for not getting back to you in January. Did you make any progress or find other examples for LDAP and dockerspawner?

We are using basically a vanilla dockerspawner and the custom ldapauthenticator, but the code is embedded in our proprietary codebase. I'd love to publish the essential parts if no-one else has made anything similar available yet.

[manics]

I think this should be in the forthcoming release #103

If not please reopen!