Updated to that before return to spawner, the set_spawner_attributes are reformatted with updated LDAP attributes that have can extracted from the DIT and now only be available from the pre-submit values, also added the LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY option to get the first attribute value from a list of attributes

Author: rasmunk

example/setup_ldap_entry_hook_config.py

@@ -2,7 +2,7 @@
 from jhubauthenticators import RegexUsernameParser
 from ldap_hooks import setup_ldap_entry_hook
 from ldap_hooks import LDAP, LDAP_SEARCH_ATTRIBUTE_QUERY, \
-    SPAWNER_SUBMIT_DATA, INCREMENT_ATTRIBUTE
+    SPAWNER_SUBMIT_DATA, INCREMENT_ATTRIBUTE, LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY
 c = get_config()
 
 c.JupyterHub.ip = '0.0.0.0'
@@ -40,18 +40,19 @@
 
 # Dynamic attributes and where to find the value
 LDAP.dynamic_attributes = {
+    'uid': LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY,
     'emailAddress': SPAWNER_SUBMIT_DATA,
     'uidNumber': LDAP_SEARCH_ATTRIBUTE_QUERY
 }
 
 LDAP.set_spawner_attributes = {
-    'environment': {'NB_USER': '{emailAddress}',
+    'environment': {'NB_USER': '{uid}',
                     'NB_UID': '{uidNumber}'},
 }
 
 # Attributes used to check whether the ldap data
 # of type object_classes already exists
-# LDAP.unique_object_attributes = ['emailAddress']
+LDAP.unique_object_attributes = ['uid']
 LDAP.search_attribute_queries = [
     {'search_base': LDAP.base_dn,
      'search_filter': '(objectclass=X-nextUserIdentifier)',
@@ -64,7 +65,7 @@
 
 # Submit object settings
 LDAP.object_classes = ['X-certsDistinguishedName', 'PosixAccount']
-LDAP.object_attributes = {'uid': '{emailAddress}',
+LDAP.object_attributes = {'uid': '{uid}',
                           'uidNumber': '{uidNumber}',
                           'gidNumber': '100',
-                          'homeDirectory': '/home/{emailAddress}'}
+                          'homeDirectory': '/home/{uid}'}

example/setup_ldap_hook_test_config.py

@@ -55,7 +55,7 @@
 # LDAP.unique_object_attributes = ['emailAddress']
 LDAP.search_attribute_queries = [
     {'search_base': LDAP.base_dn,
-     'search_filter': '(objectclass=X-nextUserIdentifier)',
+     'search_filter': '(objectclass=x-nextUserIdentifier)',
      'attributes': ['uidNumber']}
 ]
 
@@ -64,7 +64,7 @@
                                                'modify_dn': modify_dn}}
 
 # Submit object settings
-LDAP.object_classes = ['X-certsDistinguishedName', 'PosixAccount']
+LDAP.object_classes = ['x-certsDistinguishedName', 'PosixAccount']
 LDAP.object_attributes = {'uid': '{name}',
                           'uidNumber': '{uidNumber}',
                           'gidNumber': '100',

ldap_hooks/hooks.py

@@ -16,11 +16,13 @@
 LDAP_SEARCH_ATTRIBUTE_QUERY = '2'
 SPAWNER_ATTRIBUTE = '3'
 SPAWNER_USER_ATTRIBUTE = '4'
+LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY = '5'
 
 DYNAMIC_ATTRIBUTE_METHODS = (SPAWNER_SUBMIT_DATA,
                              LDAP_SEARCH_ATTRIBUTE_QUERY,
                              SPAWNER_ATTRIBUTE,
-                             SPAWNER_USER_ATTRIBUTE)
+                             SPAWNER_USER_ATTRIBUTE,
+                             LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY)
 INCREMENT_ATTRIBUTE = '1'
 SEARCH_RESULT_OPERATION_ACTIONS = (INCREMENT_ATTRIBUTE,)
 
@@ -346,10 +348,8 @@ def perform_search_result_operation(logger, conn_manager, base_dn,
 
 
 def get_interpolated_dynamic_attributes(logger, sources, dynamic_attributes):
-    set_attributes = {}
+    return_dict = {}
     for attr_key, attr_val in dynamic_attributes.items():
-        # Check sources for LDAP_SEARCH_ATTRIBUTE_QUERY
-        # key response with values
         val = None
         if attr_val not in DYNAMIC_ATTRIBUTE_METHODS:
             logger.error("LDAP - Illegal dynamic_attributes value: {}"
@@ -363,6 +363,14 @@ def get_interpolated_dynamic_attributes(logger, sources, dynamic_attributes):
                     and sources[LDAP_SEARCH_ATTRIBUTE_QUERY]:
                 val = get_dict_key(sources[LDAP_SEARCH_ATTRIBUTE_QUERY],
                                    attr_key)
+        if attr_val == LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY:
+            if LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY in sources \
+                    and sources[LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY]:
+                val = get_dict_key(sources[LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY],
+                                   attr_key)
+                if isinstance(val, (list, set, tuple)):
+                    val = val[0]
+
         if attr_val == SPAWNER_SUBMIT_DATA:
             if SPAWNER_SUBMIT_DATA in sources \
                     and sources[SPAWNER_SUBMIT_DATA]:
@@ -376,13 +384,11 @@ def get_interpolated_dynamic_attributes(logger, sources, dynamic_attributes):
             if SPAWNER_USER_ATTRIBUTE in sources \
                     and sources[SPAWNER_USER_ATTRIBUTE]:
                 val = get_attr(sources[SPAWNER_USER_ATTRIBUTE], attr_key)
-        if not val:
-            logger.error("LDAP - Missing {} in {} which is required for {} in "
-                         "get_interpolated_dynamic_attributes".format(
-                             attr_val, sources, attr_key))
-            return False
-        set_attributes[attr_key] = val
-    return set_attributes
+        if val:
+            return_dict[attr_key] = val
+    logger.debug("LDAP - prepared interpolated_attributes {}".format(
+        return_dict))
+    return return_dict
 
 
 def update_spawner_attributes(spawner, spawner_attributes):
@@ -583,6 +589,7 @@ def setup_ldap_entry_hook(spawner):
                 "LDAP - Retrived attributes {}".format(attributes))
             # Extract attributes from existing object
             sources = {LDAP_SEARCH_ATTRIBUTE_QUERY: attributes,
+                       LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY: attributes,
                        SPAWNER_SUBMIT_DATA: ldap_dict,
                        SPAWNER_ATTRIBUTE: spawner,
                        SPAWNER_USER_ATTRIBUTE: spawner.user}
@@ -660,6 +667,8 @@ def setup_ldap_entry_hook(spawner):
                             return False
                         attributes[attr_key] = post_operation_val
                         sources.update({LDAP_SEARCH_ATTRIBUTE_QUERY:
+                                        {attr_key: post_operation_val},
+                                        LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY:
                                         {attr_key: post_operation_val}})
 
                 ldap_dict.update(attributes)
@@ -671,26 +680,24 @@ def setup_ldap_entry_hook(spawner):
         spawner.log.debug(
             "LDAP - Sources state before interpolation "
             "with dynamic attributes {}".format(sources))
-        prepared_dynamic_attributes = get_interpolated_dynamic_attributes(
+
+        prepared_object_attributes = get_interpolated_dynamic_attributes(
             spawner.log, sources, instance.dynamic_attributes)
-        spawner.log.debug("LDAP - dynamic_attributes "
-                          "post interpolated: {}".format(
-                              prepared_dynamic_attributes))
-
-        if instance.dynamic_attributes and not prepared_dynamic_attributes:
-            spawner.log.error("LDAP - Failed to setup prepared_attributes:"
-                              " {} with attribute_dict: {}".format(
-                                  prepared_dynamic_attributes, ldap_dict))
+
+        spawner.log.debug("LDAP - prepared_object_attributes:"
+                          " {}".format(prepared_object_attributes))
+
+        if instance.dynamic_attributes and not prepared_object_attributes:
+            spawner.log.error("LDAP - Failed to setup "
+                              "prepared_object_attributes: {} with "
+                              "attribute_dict: {}".format(
+                                  prepared_object_attributes, ldap_dict)
+                              )
             return False
 
         # Format dn provided variables
-        recursive_format(instance.set_spawner_attributes,
-                         prepared_dynamic_attributes)
         recursive_format(instance.object_attributes,
-                         prepared_dynamic_attributes)
-
-        spawner.log.debug("LDAP - prepared spawner attributes {}".format(
-            instance.set_spawner_attributes))
+                         prepared_object_attributes)
         spawner.log.debug("LDAP - prepared object attributes {}".format(
             instance.object_attributes))
 
@@ -733,14 +740,41 @@ def setup_ldap_entry_hook(spawner):
                               search_base, search_filter))
         success = search_for(conn_manager.get_connection(),
                              search_base,
-                             search_filter)
+                             search_filter,
+                             attributes=ALL_ATTRIBUTES)
         if not success:
             spawner.log.error("Failed to find {} at {}".format(
                 (search_base, search_filter), instance.url))
             return False
         spawner.log.info("LDAP - found {} in {}".format(
             conn_manager.get_response(), instance.url))
 
+        response = conn_manager.get_response()
+        if len(response) > 1:
+            spawner.log.error(
+                "LDAP - multiple entries: {} were found with:"
+                " {}".format(response, search_filter))
+            return False
+
+        attributes = conn_manager.get_response_attributes()
+        # TODO, validate all the attributes are as expected
+        if not attributes:
+            spawner.log.error(
+                "LDAP - No attributes were returned from "
+                "existing dn: {} with search_filer: {}".format(ldap_data,
+                                                               search_filter))
+            return False
+
+        sources.update({LDAP_SEARCH_ATTRIBUTE_QUERY: attributes,
+                        LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY: attributes})
+        prepared_spawner_attributes = get_interpolated_dynamic_attributes(
+            spawner.log, sources, instance.dynamic_attributes)
+
+        recursive_format(instance.set_spawner_attributes,
+                         prepared_spawner_attributes)
+        spawner.log.debug("LDAP - formatted set_spawner_attributes: "
+                          "{} for the new entry: {}".format(
+                              instance.set_spawner_attributes, attributes))
         # Pass prepared attributes to spawner attributes
         update_spawner_attributes(spawner, instance.set_spawner_attributes)
         return True

tests/configs/jhub/ldap_posix_hook.py renamed to tests/configs/jhub/ldap_object_spawner_hook.py

@@ -1,12 +1,14 @@
 """A simple jupyter config file for testing the authenticator."""
 from ldap_hooks import setup_ldap_entry_hook
-from ldap_hooks import LDAP, LDAP_SEARCH_ATTRIBUTE_QUERY
+from ldap_hooks import LDAP, LDAP_SEARCH_ATTRIBUTE_QUERY, \
+    SPAWNER_USER_ATTRIBUTE, LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY
 c = get_config()
 
+c.JupyterHub.ip = '0.0.0.0'
 c.JupyterHub.hub_ip = '0.0.0.0'
-
 c.JupyterHub.authenticator_class = 'jhubauthenticators.HeaderAuthenticator'
 c.JupyterHub.spawner_class = 'dockerspawner.DockerSpawner'
+
 c.DockerSpawner.image = 'jupyter/base-notebook:latest'
 c.DockerSpawner.network_name = 'jhub_ldap_network'
 
@@ -27,22 +29,21 @@
 LDAP.replace_object_with = {'/': '+'}
 
 LDAP.dynamic_attributes = {
-    'uidNumber': LDAP_SEARCH_ATTRIBUTE_QUERY
+    'name': SPAWNER_USER_ATTRIBUTE,
+    'uid': LDAP_FIRST_SEARCH_ATTRIBUTE_QUERY
 }
 
 LDAP.set_spawner_attributes = {
-    'environment': {'NB_UID': '{uidNumber}'}
+    'environment': {'NB_USER': '{uid}'}
 }
 
-LDAP.search_attribute_queries = [
-    {'search_base': LDAP.base_dn,
-     'search_filter': '(objectclass=X-nextUserIdentifier)',
-     'attributes': ['uidNumber']}
-]
-
-# LDAP DIT object definition
-LDAP.object_classes = ['Person', 'PosixAccount']
-LDAP.object_attributes = {
-    'uidNumber': '{uidNumber}',
-    'gidNumber': '100'
-}
+# Attributes used to check whether the ldap data
+# of type object_classes already exists
+LDAP.unique_object_attributes = ['CN']
+
+# Submit object settings
+LDAP.object_classes = ['InetOrgPerson', 'PosixAccount']
+LDAP.object_attributes = {'uid': '{name}',
+                          'uidNumber': '1000 ',
+                          'gidNumber': '100',
+                          'homeDirectory': '/home/{name}'}

tests/configs/jhub/ldap_person_dynamic_attr_hook.py

@@ -3,6 +3,7 @@
 from ldap_hooks import LDAP, SPAWNER_SUBMIT_DATA
 c = get_config()
 
+c.JupyterHub.ip = '0.0.0.0'
 c.JupyterHub.hub_ip = '0.0.0.0'
 
 c.JupyterHub.authenticator_class = 'jhubauthenticators.HeaderAuthenticator'

tests/configs/jhub/ldap_person_hook.py

@@ -3,6 +3,7 @@
 from ldap_hooks import LDAP
 c = get_config()
 
+c.JupyterHub.ip = '0.0.0.0'
 c.JupyterHub.hub_ip = '0.0.0.0'
 
 c.JupyterHub.authenticator_class = 'jhubauthenticators.HeaderAuthenticator'