cannot setup ldap with the error of 'Can't contact LDAP server'
zeddit opened this issue · 8 comments
Checks
- I have checked for existing issues.
- This report is about the
User-Community Airflow Helm Chart.
Chart Version
8.8.0
Kubernetes Version
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.10+rke2r1", GitCommit:"e770bdbb87cccdc2daa790ecd69f40cf4df3cc9d", GitTreeState:"clean", BuildDate:"2023-05-18T15:22:04Z", GoVersion:"go1.19.9 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.10+rke2r1", GitCommit:"e770bdbb87cccdc2daa790ecd69f40cf4df3cc9d", GitTreeState:"clean", BuildDate:"2023-05-18T15:22:04Z", GoVersion:"go1.19.9 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}Helm Version
version.BuildInfo{Version:"v3.12.1", GitCommit:"f32a527a060157990e2aa86bf45010dfb3cc8b8d", GitTreeState:"clean", GoVersion:"go1.20.4"}Description
I was trying to setup ldap but failed.
The web UI refresh to the login page with empty user and password text after I click sign in.
I have tried both method to integrate LDAP followed the instruction here https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap
The first one is configured with STARTTLS:
AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldap://ldap.xxx.tech"
AUTH_LDAP_USE_TLS = True
and the logs from airflow-web and ldap server are shown below:
# airflow web
airflow-web {manager.py:1110} ERROR - LDAP Could not activate TLS on established connection with ldap://ldap.xxx.tech
# ldap
64ef19a6 conn=32342 fd=12 ACCEPT from IP=10.0.18.32:53356 (IP=0.0.0.0:389)
64ef19a6 conn=32342 op=0 EXT oid=1.3.6.1.4.1.1466.20037
64ef19a6 conn=32342 op=0 STARTTLS
64ef19a6 conn=32342 op=0 RESULT oid= err=0 text=
64ef19a6 conn=32342 fd=12 TLS established tls_ssf=256 ssf=256
64ef19a6 conn=32342 fd=12 closed (connection lost)
it seems the ldap server accepted the connection but closed immediately, and airflow-web thought that it haven't connect with ldap server.
The second method is configured with LDAP over TLS (ldaps):
AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldaps://ldap.xxx.tech"
AUTH_LDAP_USE_TLS = False
and logs from ldap and airflow-web are listed below:
# airflow web
airflow-web [2023-08-30T10:39:12.491+0000] {manager.py:1236} ERROR - {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'}
# ldap log
64ef1c50 conn=32368 fd=12 ACCEPT from IP=10.0.18.33:53317 (IP=0.0.0.0:636)
64ef1c50 conn=32368 fd=12 TLS established tls_ssf=256 ssf=256
64ef1c50 conn=32368 fd=12 closed (connection lost)
similarly, airflow connect with ldap but do no search query, and user could not login to the airflow.
ldap server is correct, because other system like grafana works fine.
how could the bug comes from, and how to fix it. great thanks.
Relevant Logs
No response
Custom Helm Values
No response
I have copy the code in https://github.com/dpgaspar/Flask-AppBuilder/blob/74f37e21a3c9c7ca7fb3e56f73759e3eaa2ead6b/flask_appbuilder/security/manager.py#L938 , and I found the auth has no wrong.
besides, I get into the pod of airflow webserver and test the network connectivity with ldap server, there is no problem.
when using startls auth method, the code failed at
if self.auth_ldap_use_tls:
try:
con.start_tls_s()
except Exception:
log.error(LOGMSG_ERR_SEC_AUTH_LDAP_TLS, self.auth_ldap_server)
return None
however, when I executed the same code in other pods or on the other host directly, it works with no error.
the problem has no progress yet.
@zeddit have you raised an issue with https://github.com/dpgaspar/Flask-AppBuilder?
@thesuperzapper not yet.
I think your advice is right, the root cause is at Flask-AppBuilder, I will raise an issue there.
great thanks for your help.