Airflow LDAP search returned multiple results

[armandleopold]

Apache Airflow version: 2.0.2

Kubernetes version (if you are using kubernetes) (use kubectl version): 1.15.5

Environment: Private Cloud (Rancher)

• Cloud provider or hardware configuration: custom
• OS (e.g. from /etc/os-release): linux
• Kernel (e.g. uname -a): linux
• Install tools: helm chart
• Others:

What happened:

[2021-05-07 15:47:12,449] {manager.py:888} ERROR - LDAP search for '(&(memberOf=cn=********************)(samAccountName=aleopold))' in scope 'dc=**********' returned multiple results

What you expected to happen:

No ERROR , successful login

How to reproduce it:

Have LDAP and try to connect to Airflow with LDAP user's credentials

Anything else we need to know:

webconfig :
From here

    """Default configuration for the Airflow webserver"""
    import os

    from flask_appbuilder.security.manager import AUTH_LDAP

    AUTH_TYPE = AUTH_LDAP
    AUTH_LDAP_SERVER = "ldap://ldap.*****"
    AUTH_LDAP_USE_TLS = False

    # searches
    AUTH_LDAP_SEARCH = "dc=*******"  # the LDAP search base
    AUTH_LDAP_UID_FIELD = "samAccountName"  # the username field

    # For a typical OpenLDAP setup (where LDAP searches require a special account):
    AUTH_LDAP_BIND_USER = "CN=*****************"
    AUTH_LDAP_BIND_PASSWORD = "*************"

    # registration configs
    AUTH_USER_REGISTRATION = True  # allow users who are not already in the FAB DB
    AUTH_USER_REGISTRATION_ROLE = "Public"  # this role will be given in addition to any AUTH_ROLES_MAPPING
    AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
    AUTH_LDAP_LASTNAME_FIELD = "sn"
    AUTH_LDAP_EMAIL_FIELD = "mail"  # if null in LDAP, email is set to: "{username}@email.notfound"
    AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=****************)"

    # a mapping from LDAP DN to a list of FAB roles
    AUTH_ROLES_MAPPING = {
      "CN=************************":["Admin"]
    }

    # the LDAP user attribute which has their role DNs
    AUTH_LDAP_GROUP_FIELD = "memberOf"

    # if we should replace ALL the user's roles each login, or only on registration
    AUTH_ROLES_SYNC_AT_LOGIN = True

    # force users to re-auth after 30min of inactivity (to keep roles in sync)
    PERMANENT_SESSION_LIFETIME = 1800 

[armandleopold]

Note :
We use that exact same configuration for our Apache Superset application and it works fine.

[potiuk]

Older constraints/images of Airflow 2.0.2 had this problem, but this have been fixed since (it was a problem with Flask Application Builder and it was fixed in 3.2.3 version of FAB. Not sure how you installed Airflow but you might need to pull latest 2.0.2 image of Airlfow or manually upgrade to latest FAB==3.2.3. Please see the discussion in (seemingly unrelated) issue: #15451 (comment)

Current version of constraints for Airflow 2.0.2 already contains the fixed FAB version (https://github.com/apache/airflow/blob/constraints-2.0.2/constraints-3.8.txt#L5)

In Airflow 2.0.3 (in a few days) this will be the default (3.2.3+ for FAB will be in the original constraints).

[armandleopold]

@potiuk Thanks for the reply, i used the bitnami docker image : bitnami/airflow:2.0.2 https://hub.docker.com/r/bitnami/airflow/tags?page=1&ordering=last_updated

[potiuk]

Yeah - they still use FAB 3.2.2 (just checked). I think you have few options :)

1. Wait for 2.0.3 release/ image released by bitnami
2. switch to using Airlfow's official/reference docker image
3. extend the bitnami one and install newer FAB version.

[armandleopold]

We use the Bitnami Helm chart to deploy on our private cloud.
I will wait for the next release ^^ thanks !

[potiuk]

BTW. I think we will skip 2.0.3 and go stratight to 2.1 stay tuned!