Re: Successful LDAP query still reporting Invalid login. Please try again...
I strongly agree to stop using TLS 1.0. It's more than 20 years old and It's been recommended by the payment industry to move out of it by June 2018 https://www.forbes.com/sites/thesba/2018/05/30/changes-to-pci-compliance-are-coming-june-30-is-your-ecommerce-business-ready/?sh=245001137408 All major vendors - Microsoft, Google, Apple, Mozilla deprecated it in 2020 : https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/ Your organisation is under a high risk if you are still using TLS1.0 which is known to have irreparable issues and can be broken easily using modern infrastructure. J. On Thu, May 20, 2021 at 2:55 AM Lewis John McGibbney wrote: > We think we have narrowed this down to our LDAP cluster requiring > TLSv1.0... whereas the apache-airflow[ldap] integration uses the Python > package ldap3 v2.5.1 which uses a newer TLS version. > The follow-on question now becomes, is it possible to configure the TLS > version? > According to Flask-appbuilder, this is not possible [1] we only expose the > following configuration values > > AUTH_LDAP_TLS_DEMAND > AUTH_LDAP_TLS_CACERTDIR > AUTH_LDAP_TLS_CACERTFILE > AUTH_LDAP_TLS_CERTFILE > AUTH_LDAP_TLS_KEYFILE > > Any suggestion here before we entirely abandon LDAP and attempt to either > > a. roll our own auth backend, or > b. attempt to use OAuth > > Thanks > lewismc > > [0] https://github.com/apache/airflow/blob/master/setup.py#L379-L382 > [1] > https://flask-appbuilder.readthedocs.io/en/latest/config.html?highlight=TLS#configuration-keys > > On 2021/05/12 15:33:02, Lewis John McGibbney wrote: > > Hi users@, > > Is anyone else using Airflow with LDAP webserver authentication? > > If so, can you please share your experiences? > > Thank you > > > > On 2021/05/06 21:58:34, Lewis John McGibbney > wrote: > > > Hi users@, > > > Running Airflow 2.0.2 locally attempting to debug this issue. > > > We have configured webserver_config.py as follows > > > > > > from flask_appbuilder.security.manager import AUTH_LDAP > > > import os > > > WTF_CSRF_ENABLED = True > > > AUTH_TYPE = AUTH_LDAP > > > AUTH_ROLE_ADMIN = "Admin" > > > AUTH_USER_REGISTRATION = False > > > AUTH_USER_REGISTRATION_ROLE = "Admin" > > > AUTH_LDAP_SERVER = "ldaps://...:636" > > > AUTH_LDAP_SEARCH = "ou=personnel,dc=dir,dc=...,dc=...,dc=..." > > > AUTH_LDAP_BIND_USER = > "uid={},ou=applications,dc=dir,dc=...,dc=...,dc=...".format(os.environ.get("AUTH_LDAP_APPLICATION_BIND_USER")) > > > AUTH_LDAP_BIND_PASSWORD = > os.environ.get("AUTH_LDAP_APPLICATION_BIND_PASSWORD") > > > AUTH_LDAP_UID_FIELD = "uid" > > > AUTH_LDAP_USE_TLS = False > > > AUTH_LDAP_ALLOW_SELF_SIGNED = False > > > > > > This results in the following LDAP log which indicates that the query > was executed successfully. > > > > > > [06/May/2021:13:50:13 -0700] conn=17284339 op=-1 msgId=-1 - fd=212 > slot=212 LDAPS connection from 254.239:60821 to 125.253 > > > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - BIND > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > method=128 version=3 > > > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - RESULT err=0 > tag=97 nentries=0 etime=0 > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - SRCH > base="ou=personnel,dc=dir,dc=...,dc=...,dc=..." scope=2 > filter="(uid=ech...)" attrs="givenName sn mail" > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - RESULT err=0 > tag=101 nentries=1 etime=0 > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - BIND > dn="uid=echiu,ou=personnel,dc=dir,dc=...,dc=...,dc=..." method=128 version=3 > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - RESULT err=0 > tag=97 nentries=0 etime=0 > dn="uid=ech...,ou=personnel,dc=dir,dc=...,dc=...,dc=..." > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=4 - UNBIND > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=-1 - closing > from 254.239:60821 - U1 - Connection closed by unbind client - > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=-1 msgId=-1 - closed. > > > > > > However this does not result in a successful user login within the > Airflow weberver and the UI reflects "Invalid login. Please try again." > > > > > > The webserver log reflects the following > > > > > > Request URL: http://localhost:8080/login/ > > > Request Method: POST > > > Status Code: 302 FOUND > > > Remote Address: 127.0.0.1:8080 > > > Referrer Policy: strict-origin-when-cross-origin > > > > > > Does anyone have any idea what is going on here? > > > Thank you > > > > > > lewismc > > > > > > > > > -- +48 660 796 129
Re: Successful LDAP query still reporting Invalid login. Please try again...
We think we have narrowed this down to our LDAP cluster requiring TLSv1.0... whereas the apache-airflow[ldap] integration uses the Python package ldap3 v2.5.1 which uses a newer TLS version. The follow-on question now becomes, is it possible to configure the TLS version? According to Flask-appbuilder, this is not possible [1] we only expose the following configuration values AUTH_LDAP_TLS_DEMAND AUTH_LDAP_TLS_CACERTDIR AUTH_LDAP_TLS_CACERTFILE AUTH_LDAP_TLS_CERTFILE AUTH_LDAP_TLS_KEYFILE Any suggestion here before we entirely abandon LDAP and attempt to either a. roll our own auth backend, or b. attempt to use OAuth Thanks lewismc [0] https://github.com/apache/airflow/blob/master/setup.py#L379-L382 [1] https://flask-appbuilder.readthedocs.io/en/latest/config.html?highlight=TLS#configuration-keys On 2021/05/12 15:33:02, Lewis John McGibbney wrote: > Hi users@, > Is anyone else using Airflow with LDAP webserver authentication? > If so, can you please share your experiences? > Thank you > > On 2021/05/06 21:58:34, Lewis John McGibbney wrote: > > Hi users@, > > Running Airflow 2.0.2 locally attempting to debug this issue. > > We have configured webserver_config.py as follows > > > > from flask_appbuilder.security.manager import AUTH_LDAP > > import os > > WTF_CSRF_ENABLED = True > > AUTH_TYPE = AUTH_LDAP > > AUTH_ROLE_ADMIN = "Admin" > > AUTH_USER_REGISTRATION = False > > AUTH_USER_REGISTRATION_ROLE = "Admin" > > AUTH_LDAP_SERVER = "ldaps://...:636" > > AUTH_LDAP_SEARCH = "ou=personnel,dc=dir,dc=...,dc=...,dc=..." > > AUTH_LDAP_BIND_USER = > > "uid={},ou=applications,dc=dir,dc=...,dc=...,dc=...".format(os.environ.get("AUTH_LDAP_APPLICATION_BIND_USER")) > > AUTH_LDAP_BIND_PASSWORD = > > os.environ.get("AUTH_LDAP_APPLICATION_BIND_PASSWORD") > > AUTH_LDAP_UID_FIELD = "uid" > > AUTH_LDAP_USE_TLS = False > > AUTH_LDAP_ALLOW_SELF_SIGNED = False > > > > This results in the following LDAP log which indicates that the query was > > executed successfully. > > > > [06/May/2021:13:50:13 -0700] conn=17284339 op=-1 msgId=-1 - fd=212 slot=212 > > LDAPS connection from 254.239:60821 to 125.253 > > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - BIND > > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > > method=128 version=3 > > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - RESULT err=0 > > tag=97 nentries=0 etime=0 > > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - SRCH > > base="ou=personnel,dc=dir,dc=...,dc=...,dc=..." scope=2 > > filter="(uid=ech...)" attrs="givenName sn mail" > > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - RESULT err=0 > > tag=101 nentries=1 etime=0 > > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - BIND > > dn="uid=echiu,ou=personnel,dc=dir,dc=...,dc=...,dc=..." method=128 version=3 > > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - RESULT err=0 > > tag=97 nentries=0 etime=0 > > dn="uid=ech...,ou=personnel,dc=dir,dc=...,dc=...,dc=..." > > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=4 - UNBIND > > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=-1 - closing from > > 254.239:60821 - U1 - Connection closed by unbind client - > > [06/May/2021:13:50:14 -0700] conn=17284339 op=-1 msgId=-1 - closed. > > > > However this does not result in a successful user login within the Airflow > > weberver and the UI reflects "Invalid login. Please try again." > > > > The webserver log reflects the following > > > > Request URL: http://localhost:8080/login/ > > Request Method: POST > > Status Code: 302 FOUND > > Remote Address: 127.0.0.1:8080 > > Referrer Policy: strict-origin-when-cross-origin > > > > Does anyone have any idea what is going on here? > > Thank you > > > > lewismc > > > > >
Re: Successful LDAP query still reporting Invalid login. Please try again...
Hi users@, Is anyone else using Airflow with LDAP webserver authentication? If so, can you please share your experiences? Thank you On 2021/05/06 21:58:34, Lewis John McGibbney wrote: > Hi users@, > Running Airflow 2.0.2 locally attempting to debug this issue. > We have configured webserver_config.py as follows > > from flask_appbuilder.security.manager import AUTH_LDAP > import os > WTF_CSRF_ENABLED = True > AUTH_TYPE = AUTH_LDAP > AUTH_ROLE_ADMIN = "Admin" > AUTH_USER_REGISTRATION = False > AUTH_USER_REGISTRATION_ROLE = "Admin" > AUTH_LDAP_SERVER = "ldaps://...:636" > AUTH_LDAP_SEARCH = "ou=personnel,dc=dir,dc=...,dc=...,dc=..." > AUTH_LDAP_BIND_USER = > "uid={},ou=applications,dc=dir,dc=...,dc=...,dc=...".format(os.environ.get("AUTH_LDAP_APPLICATION_BIND_USER")) > AUTH_LDAP_BIND_PASSWORD = > os.environ.get("AUTH_LDAP_APPLICATION_BIND_PASSWORD") > AUTH_LDAP_UID_FIELD = "uid" > AUTH_LDAP_USE_TLS = False > AUTH_LDAP_ALLOW_SELF_SIGNED = False > > This results in the following LDAP log which indicates that the query was > executed successfully. > > [06/May/2021:13:50:13 -0700] conn=17284339 op=-1 msgId=-1 - fd=212 slot=212 > LDAPS connection from 254.239:60821 to 125.253 > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - BIND > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > method=128 version=3 > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - RESULT err=0 tag=97 > nentries=0 etime=0 > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - SRCH > base="ou=personnel,dc=dir,dc=...,dc=...,dc=..." scope=2 filter="(uid=ech...)" > attrs="givenName sn mail" > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - RESULT err=0 > tag=101 nentries=1 etime=0 > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - BIND > dn="uid=echiu,ou=personnel,dc=dir,dc=...,dc=...,dc=..." method=128 version=3 > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=ech...,ou=personnel,dc=dir,dc=...,dc=...,dc=..." > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=4 - UNBIND > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=-1 - closing from > 254.239:60821 - U1 - Connection closed by unbind client - > [06/May/2021:13:50:14 -0700] conn=17284339 op=-1 msgId=-1 - closed. > > However this does not result in a successful user login within the Airflow > weberver and the UI reflects "Invalid login. Please try again." > > The webserver log reflects the following > > Request URL: http://localhost:8080/login/ > Request Method: POST > Status Code: 302 FOUND > Remote Address: 127.0.0.1:8080 > Referrer Policy: strict-origin-when-cross-origin > > Does anyone have any idea what is going on here? > Thank you > > lewismc > >
Successful LDAP query still reporting Invalid login. Please try again...
Hi users@, Running Airflow 2.0.2 locally attempting to debug this issue. We have configured webserver_config.py as follows from flask_appbuilder.security.manager import AUTH_LDAP import os WTF_CSRF_ENABLED = True AUTH_TYPE = AUTH_LDAP AUTH_ROLE_ADMIN = "Admin" AUTH_USER_REGISTRATION = False AUTH_USER_REGISTRATION_ROLE = "Admin" AUTH_LDAP_SERVER = "ldaps://...:636" AUTH_LDAP_SEARCH = "ou=personnel,dc=dir,dc=...,dc=...,dc=..." AUTH_LDAP_BIND_USER = "uid={},ou=applications,dc=dir,dc=...,dc=...,dc=...".format(os.environ.get("AUTH_LDAP_APPLICATION_BIND_USER")) AUTH_LDAP_BIND_PASSWORD = os.environ.get("AUTH_LDAP_APPLICATION_BIND_PASSWORD") AUTH_LDAP_UID_FIELD = "uid" AUTH_LDAP_USE_TLS = False AUTH_LDAP_ALLOW_SELF_SIGNED = False This results in the following LDAP log which indicates that the query was executed successfully. [06/May/2021:13:50:13 -0700] conn=17284339 op=-1 msgId=-1 - fd=212 slot=212 LDAPS connection from 254.239:60821 to 125.253 [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - BIND dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." method=128 version=3 [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - SRCH base="ou=personnel,dc=dir,dc=...,dc=...,dc=..." scope=2 filter="(uid=ech...)" attrs="givenName sn mail" [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0 [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - BIND dn="uid=echiu,ou=personnel,dc=dir,dc=...,dc=...,dc=..." method=128 version=3 [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ech...,ou=personnel,dc=dir,dc=...,dc=...,dc=..." [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=4 - UNBIND [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=-1 - closing from 254.239:60821 - U1 - Connection closed by unbind client - [06/May/2021:13:50:14 -0700] conn=17284339 op=-1 msgId=-1 - closed. However this does not result in a successful user login within the Airflow weberver and the UI reflects "Invalid login. Please try again." The webserver log reflects the following Request URL: http://localhost:8080/login/ Request Method: POST Status Code: 302 FOUND Remote Address: 127.0.0.1:8080 Referrer Policy: strict-origin-when-cross-origin Does anyone have any idea what is going on here? Thank you lewismc