I have gone through the LDAP configuration information provided in this page Authentication: LDAP for Airflow version 2.6.2 using FlaskAppBuilder and have the following configuration in my webserver_config.py file among other things:
from airflow.www.fab_security.manager import AUTH_LDAP
AUTH_TYPE = AUTH_LDAP
# Will allow user self registration
AUTH_USER_REGISTRATION = True
# When using LDAP Auth, setup the ldap server
AUTH_LDAP_SERVER = "ldap://server:port"
AUTH_LDAP_USE_TLS = True
AUTH_LDAP_ALLOW_SELF_SIGNED = False
AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
AUTH_LDAP_LASTNAME_FIELD = "sn"
AUTH_LDAP_EMAIL_FIELD = "mail" # if null in LDAP, email is set to: "{username}@email.notfound"
AUTH_LDAP_USERNAME_FORMAT = "uid=%s,ou=S,ou=OU,dc=DC,dc=COM" # %s is replaced with the provided username
AUTH_LDAP_APPEND_DOMAIN = "DC.COM" # bind usernames will look like: {USERNAME}@example.com
# search configs
AUTH_LDAP_SEARCH = "ou=S,ou=OU,dc=DC,dc=COM" # the LDAP search base (if non-empty, a search will ALWAYS happen)
AUTH_LDAP_UID_FIELD = "uid" # the username field
All details including LDAP server, OU and DC have been provided by out IT team.
My question, however is about the %s in the uid section of AUTH_LDAP_USERNAME_FORMAT parameter and AUTH_LDAP_APPEND_DOMAIN parameter itself.
- Is the
%ssupposed to be a specific value or is it something that is passed automatically to the webserver when the user enters the username in theUsernamefield at signin?
The reason I ask this is because, I found this other question (which seemed to have a similar title, but not the same issue), where OP's config did not have AUTH_LDAP_USERNAME_FORMAT at all, but has the following:
AUTH_LDAP_BIND_USER = "CN=p_biaas,OU=Unix,OU=ServiceAccounts,OU=AAA,OU=AAA,DC=ms,DC=ds,DC=aaa,DC=com"
AUTH_LDAP_BIND_PASSWORD = "password"
Now going back to the FAB documentation page, these parameters are to be used for OpenLDAP and not for Microsoft AD setup.
So which of the above is right set of configuration parameters is correct and what should I be using for either $s, or p_biaas or password (some custom or built-in variable or is it some static value?)
2.
AUTH_LDAP_APPEND_DOMAIN = "DC.COM" # bind usernames will look like: {USERNAME}@example.com
Parameter indicates that DC.COM will be appended to the username, but what if I need to prepend it such as DC\username or if I just want to use the username as entered in the username field without any appending or prepending? Will the search still work or does one or the other need to be passed as an argument?
- I was wondering if there is any way to log/view the requests and the parameters that are being passed in the backend to be able to figure out what's happening and if there are any errors or if I'm doing something wrong?
