2

I've gotten ldap authentication to work within airflow, but it's allowing any user we have in our directory to login. While it's only showing admin privs for members of the airflow-admin AD group, i would expect users that aren't a member of airflow-admin or airflow-profiler groups to be denied access and this isn't the case. Here's my config:

[webserver]
authenticate = True
auth_backend = airflow.contrib.auth.backends.ldap_auth

[ldap]
uri = ldaps://ldaps.mydomain.com:636
user_filter = objectClass=person
user_name_attr = sAMAccountName
group_member_attr = memberOf
superuser_filter = memberOf=CN=airflow-admin,OU=Users,DC=mydomain,DC=com
data_profiler_filter = memberOf=CN=airflow-profiler,OU=Users,DC=mydomain,DC=com
bind_user = cn=ldapadmin,ou=Admins,dc=mydomain,dc=com
bind_password = ******
basedn = dc=mydomain,dc=com
cacert = /usr/local/share/ca-certificates/mydomain.crt
search_scope = SUBTREE

I see several other similar posts with no resolution, i'm beginning to wonder if this even works. Here's a link to the airflow doc section on ldap. https://airflow.apache.org/security.html?#ldap

Ben A
  • 462
  • 4
  • 13

1 Answers1

5

Have you tried to filter them out via the user_filter?

The following should only allow users in one of the two mentioned groups access. Unfortunately I do not have Airflow to test and verify this.

user_filter = |(memberOf=CN=airflow-admin,OU=Users,DC=mydomain,DC=com)(memberOf=CN=airflow-profiler,OU=Users,DC=mydomain,DC=com)
Ruli
  • 2,592
  • 12
  • 30
  • 40
Jason
  • 475
  • 2
  • 4
  • that caused the following error: File "/home/ubuntu/miniconda3/envs/python-3.6/lib/python3.6/site-packages/ldap3/operation/search.py", line 215, in parse_filter raise LDAPInvalidFilterError('malformed filter') ldap3.core.exceptions.LDAPInvalidFilterError: malformed filter – Ben A Dec 04 '18 at 18:05
  • that appears to be working! thanks! You would think they would clarify that in their docs... – Ben A Dec 04 '18 at 20:49