Unable to access SWAP notebooks using LDAP
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	cchen
	Aug 16 2019, 7:55 PM

Description

I'm trying to access SWAP via these instructions https://wikitech.wikimedia.org/wiki/SWAP#Access.

I user the tunnel listed on SWAP#Access,

ssh -N notebook1003.eqiad.wmnet -L 8000:127.0.0.1:8000

Then I try...

http://localhost:8000/

...in Chrome, and I see a login page. Attempting to log in with LDAP credentials yields the invalid username or password error. I confirm that the password and username i used are the same as my other access.

if you need more information to address my issue, lmk and I'll provide it as quickly as possible

Thank you!

Event Timeline

cchen created this task.Aug 16 2019, 7:55 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 16 2019, 7:55 PM

I can see the following in the jupyterhub's logs;

elukey@notebook1003:/var/log/jupyterhub$ sudo grep -rni connie *
197759:Aug 14 15:36:08 notebook1003 jupyterhub[20825]: [W 2019-08-14 15:36:08.526 JupyterHub ldapauthenticator:154] Invalid password for user uid=conniecc1,ou=people,dc=wikimedia,dc=org
197760:Aug 14 15:36:08 notebook1003 jupyterhub[20825]: [W 2019-08-14 15:36:08.527 JupyterHub base:351] Failed login for conniecc1
198372:Aug 16 18:28:07 notebook1003 jupyterhub[20825]: [W 2019-08-16 18:28:07.073 JupyterHub ldapauthenticator:154] Invalid password for user uid=conniecc1,ou=people,dc=wikimedia,dc=org
198373:Aug 16 18:28:07 notebook1003 jupyterhub[20825]: [W 2019-08-16 18:28:07.074 JupyterHub base:351] Failed login for conniecc1

elukey@notebook1003:/var/log/jupyterhub$ sudo grep -rni cchen *
197755:Aug 14 15:35:51 notebook1003 jupyterhub[20825]: [W 2019-08-14 15:35:51.054 JupyterHub jupyterhub_config:144] User cchen not in allowed groups (notebook-roots, researchers, analytics-users, analytics-admins, statistics-privatedata-users, analytics-privatedata-users)
197756:Aug 14 15:35:51 notebook1003 jupyterhub[20825]: [W 2019-08-14 15:35:51.055 JupyterHub base:351] Failed login for cchen
197757:Aug 14 15:36:01 notebook1003 jupyterhub[20825]: [W 2019-08-14 15:36:01.731 JupyterHub jupyterhub_config:144] User cchen not in allowed groups (notebook-roots, researchers, analytics-users, analytics-admins, statistics-privatedata-users, analytics-privatedata-users)
197758:Aug 14 15:36:01 notebook1003 jupyterhub[20825]: [W 2019-08-14 15:36:01.731 JupyterHub base:351] Failed login for cchen

The config is the following:

# Local POSIX group names that will be allowed to log in
ALLOWED_POSIX_GROUPS = ['notebook-roots','researchers','analytics-users','analytics-admins','statistics-privatedata-users','analytics-privatedata-users']

# Authenticator type to use, either 'dummy' or 'ldap'.
AUTHENTICATOR        = 'ldap'
# LDAP groups that will be allowed to authenticate
ALLOWED_LDAP_GROUPS  = ['cn=nda,ou=groups,dc=wikimedia,dc=org','cn=wmf,ou=groups,dc=wikimedia,dc=org']
LDAP_SERVER          = 'ldap-ro.eqiad.wikimedia.org'
LDAP_BIND_DN_TEMPLATE= 'uid={username},ou=people,dc=wikimedia,dc=org'

elukey@notebook1003:/var/log/jupyterhub$ id conniecc1
uid=21734(conniecc1) gid=500(wikidev) groups=500(wikidev),714(researchers),731(analytics-privatedata-users)

elukey@mwmaint1002:~$ ldapsearch -x -b ou=groups,dc=wikimedia,dc=org cn="wmf"  | grep conniecc1
member: uid=conniecc1,ou=people,dc=wikimedia,dc=org

Since the uid is used for LDAP, conniecc1 is surely the user to use in this case. For some reason, it leads to invalid password from LDAP, even if the same user/pass combination is successfully used in Superset (that requires the uid for LDAP as well).

As far as I can see, this seems to be a password issue, but after a chat with @cchen it seems not the case (otherwise how could it be possible that Superset works?)

@cchen a couple of questions:

have you tried to log in in other places, like for example: https://turnilo.wikimedia.org, https://yarn.wikimedia.org - do you log in fine?
can you try to ssh to notebook1003, log-off and then try again with the ssh tunnel and the login to jupyter? Long shot but I'd like to exclude some weird behavior because your home dir is still not there (it is created upon first successful ssh log in to the notebook1003 host).

Edit: scratch the last point, your home dir is already on notebook1003 :)

elukey triaged this task as Medium priority.Aug 19 2019, 3:32 PM

elukey moved this task from Incoming to Operational Excellence on the Analytics board.

@elukey Thanks for the updates.

I was able to log into https://turnilo.wikimedia.org but not https://yarn.wikimedia.org.

-I just tried the second point you suggested, still got permission denied.

In fact for Yarn I can see:

/var/log/apache2/yarn.wikimedia.org.log:1:[Mon Aug 19 16:11:46.852042 2019] [auth_basic:error] [pid 7525] [client 10.64.16.22:6265] AH01617: user conniecc1: authentication failure for "/": Password Mismatch

@cchen another test - same result with different browsers or with Chrome in incognito mode?

Also, can you try to log in into Yarn with your Wikitech username? Yarn has a different config, you need to use Conniecc1 (in theory).

@elukey looks like it's still not working :(

@cchen I'd suggest at this point to try to change your password to something else, so we will see if it helps o not. From the logs point of view it seems that the wrong password is inserted, but then not sure why you can access so sites and not others.

@elukey i update the password and it's working! i am able to log into the SWAP now. Thanks again!

Good!

Fsalutari subscribed.Feb 21 2020, 4:16 PM

This comment was removed by Fsalutari.

Unable to access SWAP notebooks using LDAPClosed, ResolvedPublicActions

Description

Event Timeline

Unable to access SWAP notebooks using LDAP
Closed, ResolvedPublic
Actions