I am currently attempting to setup LDAP integration with an existing LDAP server in Airflow. In the past, I have attempted making a cacert (ldap_ca.crt) and have followed this guide and this guide.
When I start up Airflow I am presented with a login screen that does not accept any users on the LDAP server and simply clears the username/password box when attempting to sign in.
This is the current code in my webserver_config.py (I have also tried making edits to airflow.cfg without success):
# The authentication type
# AUTH_OID : Is for OpenID
# AUTH_DB : Is for database
# AUTH_LDAP : Is for LDAP
# AUTH_REMOTE_USER : Is for using REMOTE_USER from web server
# AUTH_OAUTH : Is for OAuth
AUTH_TYPE = AUTH_LDAP
# Uncomment to setup Full admin role name
# AUTH_ROLE_ADMIN = 'Admin'
# Uncomment to setup Public role name, no authentication needed
# AUTH_ROLE_PUBLIC = 'Public'
# Will allow user self registration
AUTH_USER_REGISTRATION = True
# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = "Viewer"
# When using LDAP Auth, setup the ldap server
# AUTH_LDAP_SERVER = "ldap://ldapserver.new"
AUTH_LDAP_SERVER = "ldap://ldap-server-name.org.com:999"
AUTH_LDAP_BIND_USER = "CN=p_biaas,OU=Unix,OU=ServiceAccounts,OU=AAA,OU=AAA,DC=ms,DC=ds,DC=aaa,DC=com"
AUTH_LDAP_BIND_PASSWORD = "password"
#AUTH_LDAP_SEARCH = "CN=Users,DC=ms,DC=ds,DC=aaa,DC=com"
#AUTH_LDAP_SEARCH= "OU=Unix,OU=ServiceAccounts,OU=AAA,OU=AAA,DC=ms,DC=ds,DC=aaa,DC=com"
AUTH_LDAP_SEARCH = "DC=ms,DC=ds,DC=aaa,DC=com"
AUTH_LDAP_UID_FIELD = "sAMAccountName"
#AUTH_LDAP_USE_TLS = False
AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
AUTH_LDAP_LASTTNAME_FIELD = "sn"
Setting up LDAP integration in Apache Airflow requires correct configuration to ensure that the authentication process works as expected. Here are some steps you can take to troubleshoot and potentially resolve the issue:
-
Verify LDAP Server Connection: Ensure that the LDAP server address and port specified in
AUTH_LDAP_SERVERare correct and reachable from your Airflow server. The server address should include the protocol (e.g.,ldap://) and the port (e.g.,:389for non-encrypted LDAP or:636for LDAPS). -
Check LDAP Bind Credentials: Confirm that the bind user (
AUTH_LDAP_BIND_USER) and its password (AUTH_LDAP_BIND_PASSWORD) are correct and have sufficient privileges to perform searches in the LDAP directory. -
Verify LDAP Search Base: Ensure that
AUTH_LDAP_SEARCHspecifies the correct search base for your LDAP directory. The search base defines the starting point for user searches. It should typically point to an organizational unit (OU) or a specific container where user objects are located. -
Check UID Field: The
AUTH_LDAP_UID_FIELDshould be set to the LDAP attribute that uniquely identifies users. In Active Directory, it is usuallysAMAccountName. Confirm that this attribute exists and is unique for each user. -
Verify TLS Settings: If your LDAP server uses TLS (LDAPS), uncomment
AUTH_LDAP_USE_TLSand set it toTrue. Also, ensure that the Airflow server can access the certificate authority (CA) certificate (ldap_ca.crt) used by the LDAP server. The certificate is needed to establish a secure connection. -
Check LDAP User Attributes: Verify that
AUTH_LDAP_FIRSTNAME_FIELDandAUTH_LDAP_LASTTNAME_FIELDcorrespond to the correct LDAP attributes for users’ first and last names. -
Restart Airflow: After making changes to the configuration, restart the Airflow webserver to apply the updated settings.
-
Check Airflow Logs: If the issue persists, check the Airflow logs (usually located in the
logsfolder of your Airflow installation) for any error messages related to LDAP authentication. The logs can provide valuable information about the root cause of the problem. -
Test LDAP Queries: You can use an LDAP browser tool (e.g., Apache Directory Studio) to test LDAP queries and see if you can retrieve user information based on your configuration.
Remember to make backup copies of your configuration files before making any changes, and be cautious when working with sensitive credentials.
If the issue still persists after following these steps, you may need to seek further assistance from the Airflow community or your LDAP server administrator. Additionally, ensure that you are using the correct version of Airflow, as some configuration options and behavior may vary between versions.