Airflow LDAP superuser authentication

2
votes

I am using Airflow v1.9.0 and am trying to setup groups using LDAP authentication. I can get the basic LDAP authentication working that defaults all users to be superusers. However, I cannot get the AD to match against a specific group. For instance, I have user TommyLeeJones who I know is part of the user group MIB, but I can't get airflow to match this user against this group.

In my airflow.cfg file, I have set:

[webserver]
authenticate = True
auth_backend = airflow.contrib.auth.backends.ldap_auth

[ldap]
user_filter = objectClass=*
user_name_attr=sAMAccountName

In my webserver.env file, I have:

AIRFLOW__LDAP__URI=zartha.men.in.black:389 AIRFLOW__LDAP__BIND_USER=men\TommyLeeJones AIRFLOW__LDAP__BIND_PASSWORD=APersonIsSmartPeopleAreDumb AIRFLOW__LDAP__SUPERUSER_FILTER=memberOf=CN=MIB,OU=UK,OU=Groups,DC=men,DC=in,DC=black AIRFLOW__LDAP__DATA_PROFILER_FILTER=memberOf=CN=MIB,OU=UK,OU=Groups,DC=men,DC=in,DC=black AIRFLOW__LDAP__BASEDN=DC=men,DC=in,DC=black AIRFLOW__LDAP__SEARCH_SCOPE=SUBTREE

I can login, but not as a superuser which I should be able to.

1
ldapairflow
Confirm your AIRFLOW__LDAP__SUPERUSER_FILTER is correct and that you have that role for your account. 99% sure that's your issue, always seems to be my LDAP issueMike
I found the issue, the webserver.env file complains when there are spaces in the CN or OU values and wrapping it in quotes ends in an error. Just found another group that doesn't have spaces in the CN or OU values.cal barry
Great @cal, I put this as the answerMike
I confirm the problem with spaces inside CN and OU.Nicola Ben

1 Answers

0
votes

When working with LDAP, I find that I'm usually misspelling my LDAP query.

Confirm that AIRFLOW__LDAP__SUPERUSER_FILTER is correct.

You can use ldap3 Python package and confirm from the command line this works.