Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-5019

Group membership retrieval failure based on memberOf virtual attribute

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.10.3
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      We have configured Okta LDAP authentication for Apache Airflow. User successfully authenticates with Okta but user's group membership retrieval fails.

      Below are the LDAP Configs we are using:

       

      [ldap]

      1. set this to ldaps://<your.ldap.server>:<port>
        uri = ldaps://[subdomain].ldap.oktapreview.com
        user_filter = objectClass=*
        user_name_attr = uid
        group_member_attr = memberOf
        superuser_filter = memberOf=cn=Everyone,ou=groups,dc=[subdomain],dc=oktapreview,dc=com
        data_profiler_filter =
        bind_user = [username]
        bind_password = [password]
        basedn = ou=users,dc=[subdomain],dc=oktapreview,dc=com
        cacert = [path/to/cert]
        search_scope = LEVEL

       

      Below are the error logs we are seeing in airflow:

       

      Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 2317, in wsgi_app response = self.full_dispatch_request() File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1840, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1743, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python3.6/site-packages/flask/compat.py", line 36, in reraise raise value File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1838, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1824, in dispatch_request return self.view_functions[rule.endpoint](**req.view_args) File "/usr/local/lib/python3.6/site-packages/flask_admin/base.py", line 69, in inner return self._run_view(f, *args, **kwargs) File "/usr/local/lib/python3.6/site-packages/flask_admin/base.py", line 368, in _run_view return fn(self, *args, **kwargs) File "/usr/local/lib/python3.6/site-packages/airflow/www/views.py", line 731, in login return airflow.login.login(self, request) File "/usr/local/lib/python3.6/site-packages/airflow/utils/db.py", line 73, in wrapper return func(*args, **kwargs) File "/usr/local/lib/python3.6/site-packages/airflow/contrib/auth/backends/ldap_auth.py", line 322, in login flask_login.login_user(LdapUser(user)) File "<string>", line 4, in __init_ File "/usr/local/lib64/python3.6/site-packages/sqlalchemy/orm/state.py", line 428, in initialize_instance manager.dispatch.init_failure(self, args, kwargs) File "/usr/local/lib64/python3.6/site-packages/sqlalchemy/util/langhelpers.py", line 67, in __exit_ compat.reraise(exc_type, exc_value, exc_tb) File "/usr/local/lib64/python3.6/site-packages/sqlalchemy/util/compat.py", line 277, in reraise raise value File "/usr/local/lib64/python3.6/site-packages/sqlalchemy/orm/state.py", line 425, in initialize_instance return manager.original_init(*mixed[1:], **kwargs) File "/usr/local/lib/python3.6/site-packages/airflow/contrib/auth/backends/ldap_auth.py", line 160, in __init_ user.username) File "/usr/local/lib/python3.6/site-packages/airflow/contrib/auth/backends/ldap_auth.py", line 91, in group_contains_user attributes=[native(user_name_attr)]): File "/usr/local/lib/python3.6/site-packages/ldap3/core/connection.py", line 785, in search check_names=self.check_names) File "/usr/local/lib/python3.6/site-packages/ldap3/operation/search.py", line 372, in search_operation request['filter'] = compile_filter(parse_filter(search_filter, schema, auto_escape, auto_encode, validator, check_names).elements[0]) # parse the searchFilter string and compile it starting from the root node File "/usr/local/lib/python3.6/site-packages/ldap3/operation/search.py", line 206, in parse_filter current_node.append(evaluate_match(search_filter[start_pos:end_pos], schema, auto_escape, auto_encode, validator, check_names)) File "/usr/local/lib/python3.6/site-packages/ldap3/operation/search.py", line 166, in evaluate_match assertion = {'attr': left_part, 'value': validate_assertion_value(schema, left_part, right_part, auto_escape, auto_encode, validator, check_names)} File "/usr/local/lib/python3.6/site-packages/ldap3/protocol/convert.py", line 146, in validate_assertion_value value = validate_attribute_value(schema, name, value, auto_encode, validator=validator, check_names=check_names) File "/usr/local/lib/python3.6/site-packages/ldap3/protocol/convert.py", line 162, in validate_attribute_value raise LDAPAttributeError('invalid attribute ' + name) ldap3.core.exceptions.LDAPAttributeError: invalid attribute memberOf

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Mhishi Destiny
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: