Comments (13)
vsoch
commented on August 17, 2024
It looks like it’s social core that brings that dependency in. And you don’t want jose typically, you want python-jose and possibly python-jose[cryptography].
and yes we need to look into what dependencies are triggering these issues and likely update or pin.
from sregistry.
SethosII
commented on August 17, 2024
@vsoch Thank you for the hint. I added the package to requirements.txt and created a pull request for it: #418.
Now there is a new error during login:
uwsgi_1 | Binding as CN=X.X,OU=Service-Accounts,DC=company,DC=com
uwsgi_1 | Caught LDAPError while authenticating XY.XY: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'})
uwsgi_1 | [pid: 28|app: 0|req: 2/4] 10.XXX.XXX.XXX () {50 vars in 1024 bytes} [Mon Mar 27 01:54:40 2023] POST /ldap_auth/login/ => generated 5994 bytes in 344 msecs (HTTP/1.1 200) 7 headers in 395 bytes (1 switches on core 3)
I copied the values for AUTH_LDAP_SERVER_URI, AUTH_LDAP_BIND_DN and AUTH_LDAP_BIND_PASSWORD from a working LDAP setup, so these values should work. Also I'm able to ping the LDAP server. I set the base (DC=company,DC=com) for AUTH_LDAP_USER_SEARCH and AUTH_LDAP_GROUP_SEARCH, this should be no problem? Is there anything else to look out for?
from sregistry.
vsoch
commented on August 17, 2024
Perhaps start with the example https://singularityhub.github.io/sregistry/docs/plugins/ldap confirm it works, and change one thing at a time until you reproduce the error?
from sregistry.
SethosII
commented on August 17, 2024
I tried to follow these steps but there are some other errors. First thing is in the section 'Interact with it' line 87. bash isn't available in the container but sh is, so it should be docker exec -it openldap sh. Then in section 'Add a user and group to the directory' I get this:
ldapsearch -x -b 'dc=my-company,dc=com'
# extended LDIF
#
# LDAPv3
# base <dc=my-company,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
32 No such object is also the return value for subsequent commands (adding test users and groups).
Also the image for the LDAP login page isn't displayed at the bottom of this page. Line 326 should be .
I will create a pull request for the documentation corrections.
from sregistry.
SethosII
commented on August 17, 2024
I got a bit further but LDAP authentication still doesn't work. The current error while logging in is this:
uwsgi_1 | Binding as CN=X.X,OU=Service-Accounts,DC=company,DC=com
uwsgi_1 | Invoking search_s('dc=company,dc=com', 2, '(uid=Y.Y)')
uwsgi_1 | search_s('dc=company,dc=com', 2, '(uid=Y.Y)') raised OPERATIONS_ERROR({'msgtype': 115, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C0907ED, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580'})
uwsgi_1 | search_s('dc=company,dc=com', 2, '(uid=%(user)s)') returned 0 objects:
uwsgi_1 | Authentication failed for Y.Y: failed to map the username to a DN.
uwsgi_1 | [pid: 28|app: 0|req: 3/3] 10.XXX.XXX.XXX () {50 vars in 1024 bytes} [Wed Mar 29 08:32:28 2023] POST /ldap_auth/login/ => generated 5994 bytes in 599 msecs (HTTP/1.1 200) 7 headers in 395 bytes (1 switches on core 2)
So, I think the attribute mapping is still missing. I use the settings.yaml and there is no exmaple for it there. How would an example look like in the YAML syntax?
from sregistry.
vsoch
commented on August 17, 2024
You define it via: https://singularityhub.github.io/sregistry/docs/plugins/ldap#configure-sregistry
from sregistry.
SethosII
commented on August 17, 2024
I know this one, but I'm looking for a way to set this in the settings.yaml. Shouldn't these be functionally equivalent? I tried it like this:
AUTH_LDAP_USER_ATTR_MAP:
first_name: "givenName"
last_name: "sn"
email: "mail"
However, currently I'm getting a ModuleNotFoundError for django.utils.six when starting the containers if LDAP is enabled in the sregistry image:
uwsgi_1 | Traceback (most recent call last):
uwsgi_1 | File "/code/manage.py", line 9, in <module>
uwsgi_1 | execute_from_command_line(sys.argv)
uwsgi_1 | File "/usr/local/lib/python3.9/site-packages/django/core/management/__init__.py", line 446, in execute_from_command_line
uwsgi_1 | utility.execute()
uwsgi_1 | File "/usr/local/lib/python3.9/site-packages/django/core/management/__init__.py", line 420, in execute
uwsgi_1 | django.setup()
uwsgi_1 | File "/usr/local/lib/python3.9/site-packages/django/__init__.py", line 24, in setup
uwsgi_1 | apps.populate(settings.INSTALLED_APPS)
uwsgi_1 | File "/usr/local/lib/python3.9/site-packages/django/apps/registry.py", line 116, in populate
uwsgi_1 | app_config.import_models()
uwsgi_1 | File "/usr/local/lib/python3.9/site-packages/django/apps/config.py", line 269, in import_models
uwsgi_1 | self.models_module = import_module(models_module_name)
uwsgi_1 | File "/usr/local/lib/python3.9/importlib/__init__.py", line 127, in import_module
uwsgi_1 | return _bootstrap._gcd_import(name[level:], package, level)
uwsgi_1 | File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
uwsgi_1 | File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
uwsgi_1 | File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
uwsgi_1 | File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
uwsgi_1 | File "<frozen importlib._bootstrap_external>", line 850, in exec_module
uwsgi_1 | File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
uwsgi_1 | File "/code/shub/apps/logs/models.py", line 11, in <module>
uwsgi_1 | from django.utils.six import python_2_unicode_compatible
uwsgi_1 | ModuleNotFoundError: No module named 'django.utils.six'
This module seems to be removed in Django 3 and while building the container there is this output:
Step 18/40 : RUN if $ENABLE_LDAP; then pip install django-auth-ldap ; fi;
---> Running in 8db5bb4d2cd6
Collecting django-auth-ldap
Downloading django_auth_ldap-4.2.0-py3-none-any.whl (20 kB)
Collecting Django>=3.2
Downloading Django-4.1.7-py3-none-any.whl (8.1 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8.1/8.1 MB 55.8 MB/s eta 0:00:00
Collecting python-ldap>=3.1
Downloading python-ldap-3.4.3.tar.gz (377 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 377.4/377.4 kB 39.6 MB/s eta 0:00:00
Installing build dependencies: started
Installing build dependencies: finished with status 'done'
Getting requirements to build wheel: started
Getting requirements to build wheel: finished with status 'done'
Preparing metadata (pyproject.toml): started
Preparing metadata (pyproject.toml): finished with status 'done'
Requirement already satisfied: sqlparse>=0.2.2 in /usr/local/lib/python3.9/site-packages (from Django>=3.2->django-auth-ldap) (0.4.3)
Collecting asgiref<4,>=3.5.2
Downloading asgiref-3.6.0-py3-none-any.whl (23 kB)
Requirement already satisfied: pyasn1-modules>=0.1.5 in /usr/local/lib/python3.9/site-packages (from python-ldap>=3.1->django-auth-ldap) (0.2.8)
Requirement already satisfied: pyasn1>=0.3.7 in /usr/local/lib/python3.9/site-packages (from python-ldap>=3.1->django-auth-ldap) (0.4.8)
Building wheels for collected packages: python-ldap
Building wheel for python-ldap (pyproject.toml): started
Building wheel for python-ldap (pyproject.toml): finished with status 'done'
Created wheel for python-ldap: filename=python_ldap-3.4.3-cp39-cp39-linux_x86_64.whl size=314161 sha256=b8a3898a5884b999f309f4189b032e4bd02fe00e631d98ef074a
3d545d67fc40
Stored in directory: /root/.cache/pip/wheels/79/43/5e/1a029878450f5949466f351db7ff4c5459c0b1937999f39000
Successfully built python-ldap
Installing collected packages: asgiref, python-ldap, Django, django-auth-ldap
Attempting uninstall: Django
Found existing installation: Django 2.2.28
Uninstalling Django-2.2.28:
Successfully uninstalled Django-2.2.28
Successfully installed Django-4.1.7 asgiref-3.6.0 django-auth-ldap-4.2.0 python-ldap-3.4.3
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a
virtual environment instead: https://pip.pypa.io/warnings/venv
Removing intermediate container 8db5bb4d2cd6
---> ff9aa5d5eb10
So, Django 2 seems to be replaced by Django 4 and therefore django.utils.six isn't available anymore?
from sregistry.
vsoch
commented on August 17, 2024
We probably should update the container base and Django versions. Share with me your Dockerfile to reproduce the error and I can make some time this weekend.
from sregistry.
SethosII
commented on August 17, 2024
The Dockerfile looks like this:
FROM python:3.9
ENV PYTHONUNBUFFERED 1
ENV DEBIAN_FRONTEND noninteractive
ENV MESSAGELEVEL QUIET
ARG ENABLE_LDAP=true
ARG ENABLE_PAM=false
ARG ENABLE_PGP=false
ARG ENABLE_GOOGLEBUILD=false
ARG ENABLE_GLOBUS=false
ARG ENABLE_SAML=false
################################################################################
# CORE
# Do not modify this section
RUN apt-get update && apt-get install -y \
pkg-config \
cmake \
openssl \
wget \
git \
vim
RUN apt-get update && apt-get install -y \
anacron \
autoconf \
automake \
libarchive-dev \
libtool \
libopenblas-dev \
libglib2.0-dev \
gfortran \
libxml2-dev \
libxmlsec1-dev \
libhdf5-dev \
libgeos-dev \
libsasl2-dev \
libldap2-dev \
squashfs-tools \
build-essential
# Install Python requirements out of /tmp so not triggered if other contents of /code change
COPY requirements.txt /tmp/requirements.txt
RUN pip install --upgrade pip
RUN pip install -r /tmp/requirements.txt
COPY . /code/
################################################################################
# PLUGINS
# You are free to uncomment the plugins that you want to use
# Install LDAP (uncomment if wanted)
RUN if $ENABLE_LDAP; then pip install python3-ldap ; fi;
RUN if $ENABLE_LDAP; then pip install django-auth-ldap ; fi;
# Install PAM Authentication (uncomment if wanted)
RUN if $ENABLE_PAM; then pip install django-pam ; fi;
# PGP keystore dependencies
RUN if $ENABLE_PGP; then pip install pgpdump>=1.4; fi;
# Ensure Google Build Installed
RUN if $ENABLE_GOOGLEBUILD; then pip install sregistry[google-build] ; fi;
ENV SREGISTRY_GOOGLE_STORAGE_PRIVATE=true
# Install Globus (uncomment if wanted)
RUN if $ENABLE_GLOBUS; then /bin/bash /code/scripts/globus/globus-install.sh ; fi;
# Install SAML (uncomment if wanted)
RUN if $ENABLE_SAML; then pip install python3-saml ; fi;
RUN if $ENABLE_SAML; then pip install social-auth-core[saml] ; fi;
################################################################################
# BASE
RUN mkdir -p /code && mkdir -p /code/images
RUN mkdir -p /var/www/images && chmod -R 0755 /code/images/
WORKDIR /code
RUN apt-get remove -y gfortran
RUN apt-get autoremove -y
RUN apt-get clean
RUN rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Install crontab to setup jobs
RUN echo "0 0 * * * /usr/local/bin/python /code/manage.py reset_container_limits > /var/log/reset_container_limits.log 2>&1 " >> /code/cronjob
RUN echo "0 1 * * * /bin/bash /code/scripts/backup_db.sh > /var/log/backup_db.log 2>&1 " >> /code/cronjob
RUN echo "0 2 * * * /usr/local/bin/python /code/manage.py cleanup_dummy > /var/log/cleanup_dummy.log 2>&1 " >> /code/cronjob
RUN crontab /code/cronjob
RUN rm /code/cronjob
# Create hashed temporary upload locations
RUN mkdir -p /var/www/images/_upload/{0..9} && chmod 777 -R /var/www/images/_upload
CMD /code/run_uwsgi.sh
EXPOSE 3031
The only difference to the current one from the repository is ARG ENABLE_LDAP=true.
from sregistry.
vsoch
commented on August 17, 2024
@SethosII here is a branch to test! #421
from sregistry.
SethosII
commented on August 17, 2024
I also got LDAP authentication to work. The last error I had was this: Authentication failed for USERNAME: failed to map the username to a DN. This solved it: https://stackoverflow.com/a/37033098. So I had to replace uid with samaccountname here: https://github.com/singularityhub/sregistry/blob/master/shub/settings.py#L580. Maybe this should be added to the documentation or is there a way to automate it if LDAP is enabled?
from sregistry.
vsoch
commented on August 17, 2024
Great! I added that note to the PR in progress (sorry actually added this morning early before work but forgot to commit and push). Let me know if/when that PR is all good for you and we can merge and release.
from sregistry.
SethosII
commented on August 17, 2024
LDAP authentication now works for me. The only thing I haven't figured out is connecting via LDAPS, but that is not required for me at the moment. The error I get when using LDAPS is Caught LDAPError while authenticating USERNAME: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': '(unknown error code)'}).
from sregistry.
Related Issues (20)
- docker compose error HOT 7
- sregistry under https HOT 5
- Error while pushing images HOT 20
- idea: spec out idea for builder operator
- Faulty date sorting HOT 1
- Change local storage location HOT 6
- cannot start with docker compose HOT 1
- shub://* urls do not work HOT 11
- PLUGINS_ENABLED cannot be set in the settings.yaml file. HOT 1
- config.py is no longer there.
- hard coding SOCIAL_AUTH_GITLAB_SCOPE breaks auth. HOT 1
- Missing labels / container build recipes are not populated HOT 6
- NGINX Manifest unkown HOT 8
- Configuring base_url for sregistry when deployed behind an Apache reverse proxy on port 80 HOT 3
- Username Invalid token for Singularity CE endpoint HOT 5
- Connection Refused errors when pushing images HOT 6
- Is sregistry working with apptainer? HOT 1
- Images uploaded via web interface not found with Singularity pull HOT 6
- Push gives error 404 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sregistry.