I strongly agree to stop using TLS 1.0. It's more than 20 years old and It's been recommended by the payment industry to move out of it by June 2018 https://www.forbes.com/sites/thesba/2018/05/30/changes-to-pci-compliance-are-coming-june-30-is-your-ecommerce-business-ready/?sh=245001137408
All major vendors - Microsoft, Google, Apple, Mozilla deprecated it in 2020 : https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/ Your organisation is under a high risk if you are still using TLS1.0 which is known to have irreparable issues and can be broken easily using modern infrastructure. J. On Thu, May 20, 2021 at 2:55 AM Lewis John McGibbney <lewi...@apache.org> wrote: > We think we have narrowed this down to our LDAP cluster requiring > TLSv1.0... whereas the apache-airflow[ldap] integration uses the Python > package ldap3 v2.5.1 which uses a newer TLS version. > The follow-on question now becomes, is it possible to configure the TLS > version? > According to Flask-appbuilder, this is not possible [1] we only expose the > following configuration values > > AUTH_LDAP_TLS_DEMAND > AUTH_LDAP_TLS_CACERTDIR > AUTH_LDAP_TLS_CACERTFILE > AUTH_LDAP_TLS_CERTFILE > AUTH_LDAP_TLS_KEYFILE > > Any suggestion here before we entirely abandon LDAP and attempt to either > > a. roll our own auth backend, or > b. attempt to use OAuth > > Thanks > lewismc > > [0] https://github.com/apache/airflow/blob/master/setup.py#L379-L382 > [1] > https://flask-appbuilder.readthedocs.io/en/latest/config.html?highlight=TLS#configuration-keys > > On 2021/05/12 15:33:02, Lewis John McGibbney <lewi...@apache.org> wrote: > > Hi users@, > > Is anyone else using Airflow with LDAP webserver authentication? > > If so, can you please share your experiences? > > Thank you > > > > On 2021/05/06 21:58:34, Lewis John McGibbney <lewi...@apache.org> > wrote: > > > Hi users@, > > > Running Airflow 2.0.2 locally attempting to debug this issue. > > > We have configured webserver_config.py as follows > > > > > > from flask_appbuilder.security.manager import AUTH_LDAP > > > import os > > > WTF_CSRF_ENABLED = True > > > AUTH_TYPE = AUTH_LDAP > > > AUTH_ROLE_ADMIN = "Admin" > > > AUTH_USER_REGISTRATION = False > > > AUTH_USER_REGISTRATION_ROLE = "Admin" > > > AUTH_LDAP_SERVER = "ldaps://...:636" > > > AUTH_LDAP_SEARCH = "ou=personnel,dc=dir,dc=...,dc=...,dc=..." > > > AUTH_LDAP_BIND_USER = > "uid={},ou=applications,dc=dir,dc=...,dc=...,dc=...".format(os.environ.get("AUTH_LDAP_APPLICATION_BIND_USER")) > > > AUTH_LDAP_BIND_PASSWORD = > os.environ.get("AUTH_LDAP_APPLICATION_BIND_PASSWORD") > > > AUTH_LDAP_UID_FIELD = "uid" > > > AUTH_LDAP_USE_TLS = False > > > AUTH_LDAP_ALLOW_SELF_SIGNED = False > > > > > > This results in the following LDAP log which indicates that the query > was executed successfully. > > > > > > [06/May/2021:13:50:13 -0700] conn=17284339 op=-1 msgId=-1 - fd=212 > slot=212 LDAPS connection from ....254.239:60821 to ....125.253 > > > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - BIND > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > method=128 version=3 > > > [06/May/2021:13:50:13 -0700] conn=17284339 op=0 msgId=1 - RESULT err=0 > tag=97 nentries=0 etime=0 > dn="uid=jsearch-airflow-sa,ou=applications,dc=dir,dc=...,dc=...,dc=..." > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - SRCH > base="ou=personnel,dc=dir,dc=...,dc=...,dc=..." scope=2 > filter="(uid=ech...)" attrs="givenName sn mail" > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=1 msgId=2 - RESULT err=0 > tag=101 nentries=1 etime=0 > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - BIND > dn="uid=echiu,ou=personnel,dc=dir,dc=...,dc=...,dc=..." method=128 version=3 > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=2 msgId=3 - RESULT err=0 > tag=97 nentries=0 etime=0 > dn="uid=ech...,ou=personnel,dc=dir,dc=...,dc=...,dc=..." > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=4 - UNBIND > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=3 msgId=-1 - closing > from ....254.239:60821 - U1 - Connection closed by unbind client - > > > [06/May/2021:13:50:14 -0700] conn=17284339 op=-1 msgId=-1 - closed. > > > > > > However this does not result in a successful user login within the > Airflow weberver and the UI reflects "Invalid login. Please try again." > > > > > > The webserver log reflects the following > > > > > > Request URL: http://localhost:8080/login/ > > > Request Method: POST > > > Status Code: 302 FOUND > > > Remote Address: 127.0.0.1:8080 > > > Referrer Policy: strict-origin-when-cross-origin > > > > > > Does anyone have any idea what is going on here? > > > Thank you > > > > > > lewismc > > > > > > > > > -- +48 660 796 129
