Skip to content

Enable LDAP users to generate an Airflow token with FabAuthManager #52295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Enable LDAP users to generate an Airflow token with FabAuthManager #52295

wants to merge 1 commit into from
+88 −73

Conversation

vincbeck
Copy link
Contributor

Resolves #52103.

Today only users stored in DB can generate an Airflow JWT token in order to access Airflow API. This PRs adds capability for LDAP users to also generate a token.

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@vincbeck vincbeck mentioned this pull request Jun 26, 2025
Open
2 tasks
@yanshil
Copy link
Contributor

yanshil commented Jun 27, 2025

Thanks @vincbeck ! I have tested this modification on my Helm Chart installed image based on apache/airflow:3.0.2-python3.9

By applying this modification, I firstly got a 500 Internal Server Error:

INFO:     {masked ip}- "POST /auth/token HTTP/1.1" 500 Internal Server Error
ERROR:    Exception in ASGI application
Traceback (most recent call last):
  File "/home/airflow/.local/lib/python3.9/site-packages/uvicorn/protocols/http/httptools_impl.py", line 409, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
  File "/home/airflow/.local/lib/python3.9/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/applications.py", line 112, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/errors.py", line 187, in __call__
    raise exc
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/errors.py", line 165, in __call__
    await self.app(scope, receive, _send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/gzip.py", line 29, in __call__
    await responder(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/gzip.py", line 126, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/gzip.py", line 46, in __call__
    await self.app(scope, receive, self.send_with_compression)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/cors.py", line 85, in __call__
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/base.py", line 183, in __call__
    raise app_exc
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/base.py", line 141, in coro
    await self.app(scope, receive_or_disconnect, send_no_error)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 714, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 734, in app
    await route.handle(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 460, in handle
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/applications.py", line 112, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/errors.py", line 187, in __call__
    raise exc
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/errors.py", line 165, in __call__
    await self.app(scope, receive, _send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 714, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 734, in app
    await route.handle(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 288, in handle
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 76, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/routing.py", line 73, in app
    response = await f(request)
  File "/home/airflow/.local/lib/python3.9/site-packages/fastapi/routing.py", line 301, in app
    raw_response = await run_endpoint_function(
  File "/home/airflow/.local/lib/python3.9/site-packages/fastapi/routing.py", line 214, in run_endpoint_function
    return await run_in_threadpool(dependant.call, **values)
  File "/home/airflow/.local/lib/python3.9/site-packages/starlette/concurrency.py", line 37, in run_in_threadpool
    return await anyio.to_thread.run_sync(func)
  File "/home/airflow/.local/lib/python3.9/site-packages/anyio/to_thread.py", line 56, in run_sync
    return await get_async_backend().run_sync_in_worker_thread(
  File "/home/airflow/.local/lib/python3.9/site-packages/anyio/_backends/_asyncio.py", line 2470, in run_sync_in_worker_thread
    return await future
  File "/home/airflow/.local/lib/python3.9/site-packages/anyio/_backends/_asyncio.py", line 967, in run
    result = context.run(func, *args)
  File "/home/airflow/.local/lib/python3.9/site-packages/airflow/providers/fab/auth_manager/api_fastapi/routes/login.py", line 38, in create_token
    return FABAuthManagerLogin.create_token(body=body)
  File "/home/airflow/.local/lib/python3.9/site-packages/airflow/providers/fab/auth_manager/api_fastapi/services/login.py", line 51, in create_token
    user = auth_manager.security_manager.auth_user_ldap(body.username, body.password)
  File "/home/airflow/.local/lib/python3.9/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 1885, in auth_user_ldap
    self._rotate_session_id()
  File "/home/airflow/.local/lib/python3.9/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 2191, in _rotate_session_id
    session.sid = str(uuid.uuid4())
  File "/home/airflow/.local/lib/python3.9/site-packages/werkzeug/local.py", line 316, in __get__
    obj = instance._get_current_object()
  File "/home/airflow/.local/lib/python3.9/site-packages/werkzeug/local.py", line 513, in _get_current_object
    raise RuntimeError(unbound_message) from None
RuntimeError: Working outside of request context.
This typically means that you attempted to use functionality that needed
an active HTTP request. Consult the documentation on testing for
information about how to avoid this problem.

and then I modified the login.py and override.py by adding the rotate_session_id=False also to auth_user_ldap and now it works! (Actually I'm not quite sure what is it for and why you set that for the auth_user_db while the original version will always do this stuff)

# login.py

        if auth_manager.security_manager.auth_type == AUTH_LDAP:
            user = auth_manager.security_manager.auth_user_ldap(body.username, body.password, rotate_session_id=False)
        if user is None:
            user = auth_manager.security_manager.auth_user_db(body.username, body.password, rotate_session_id=False)

# override.py

            # LOGIN SUCCESS (only if user is now registered)
            if user:
                if rotate_session_id:
                    self._rotate_session_id()
                self.update_user_auth_stat(user)
                return user

Also FYI, here is my test image.

# 3.0.2
FROM apache/airflow:3.0.2-python3.9

# Got version conflict on kerberos so not using all-core
# RUN pip install 'apache-airflow[all-core]==3.0.2'
# --- core ---
RUN pip install 'apache-airflow[sentry]==3.0.2'
RUN pip install 'apache-airflow[otel]==3.0.2'
RUN pip install 'apache-airflow[standard]==3.0.2'
RUN pip install 'apache-airflow[graphviz]==3.0.2'
RUN pip install 'apache-airflow[async]==3.0.2'
RUN pip install 'apache-airflow[s3fs]==3.0.0'

RUN pip install 'apache-airflow[edge3]==3.0.2'
RUN pip install 'apache-airflow[ldap]==3.0.2'
RUN pip install 'apache-airflow[postgres]==3.0.2'
RUN pip install 'apache-airflow[mysql]==3.0.2'
RUN pip install 'apache-airflow[celery]==3.0.2'
RUN pip install 'apache-airflow[apache-kafka]==3.0.2'
RUN pip install 'apache-airflow[ssh]==3.0.2'

COPY login.py /home/airflow/.local/lib/python3.9/site-packages/airflow/providers/fab/auth_manager/api_fastapi/services/login.py
COPY override.py /home/airflow/.local/lib/python3.9/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py

and this is the sever config in my helm chat values.yaml

(If it is recommended, I can start another issue to decribe this) I was using a third-party airflow helm chart on Airflow 2.* but currently using the official Helm Chart 1.17 this time. I notice that the webServer section in official chart seems not being used at all, only apiServer got used (not sure if it is the expected behavior). For example, no webServer pod is deployed even it is enabled, and webServerConfig is not used. I looked into the values.yml and decided to move all web-server stuffs to api-server then everything looks fine (yeah. including the LDAP settings).

apiServer:
  apiServerConfig: |-
    from flask_appbuilder.security.manager import AUTH_LDAP

    from airflow import configuration as conf

    CSRF_ENABLED = True

    AUTH_TYPE = AUTH_LDAP
    AUTH_ROLE_ADMIN = "Admin"
    AUTH_LDAP_SERVER = "<MASKED>"
    AUTH_LDAP_USE_TLS = False
    AUTH_LDAP_START_TLS = False
    AUTH_LDAP_SSL_SKIP_VERIFY = True

    # registration configs
    AUTH_USER_REGISTRATION = True
    AUTH_USER_REGISTRATION_ROLE = "User"
    AUTH_LDAP_FIRSTNAME_FIELD = "givenName"
    AUTH_LDAP_LASTNAME_FIELD = "sn"
    AUTH_LDAP_EMAIL_FIELD = "mail"

    # search configs
    AUTH_LDAP_SEARCH = "dc=<MASKED>,dc=com"
    AUTH_LDAP_SEARCH_BASE_DNS = "dc=<MASKED>,dc=com"
    AUTH_LDAP_UID_FIELD = 'sAMAccountName'
    AUTH_LDAP_BIND_USER = <MASKED>
    AUTH_LDAP_BIND_PASSWORD = <MASKED>

    # mapping from LDAP DN to airflow roles
    AUTH_ROLES_MAPPING = {
        'CN=<MASKED>,OU=Groups_Local,DC=<MASKED>,DC=com': ["Admin"],
    }
    AUTH_LDAP_GROUP_FIELD = "memberOf"
    AUTH_ROLES_SYNC_AT_LOGIN = True
    PERMANENT_SESSION_LIFETIME = 1800

    # LDAPS
    AUTH_LDAP_ALLOW_SELF_SIGNED = True
    AUTH_LDAP_TLS_CACERTFILE = '/etc/ssl/certs/ca-certificates.crt'

Contact me if you need any futher information!

@joel-perez-1991
Copy link

tested with airflow python 3.12 and all default dependencies. Same error:

INFO:     10.1.144.170:55686 - "POST /auth/token HTTP/1.1" 500 Internal Server Error
ERROR:    Exception in ASGI application
Traceback (most recent call last):
  File "/home/airflow/.local/lib/python3.12/site-packages/uvicorn/protocols/http/httptools_impl.py", line 409, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/applications.py", line 112, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 187, in __call__
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 165, in __call__
    await self.app(scope, receive, _send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 29, in __call__
    await responder(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 126, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 46, in __call__
    await self.app(scope, receive, self.send_with_compression)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/cors.py", line 85, in __call__
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/base.py", line 183, in __call__
    raise app_exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/base.py", line 141, in coro
    await self.app(scope, receive_or_disconnect, send_no_error)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 714, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 734, in app
    await route.handle(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 460, in handle
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/applications.py", line 112, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 187, in __call__
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/errors.py", line 165, in __call__
    await self.app(scope, receive, _send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 714, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 734, in app
    await route.handle(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 288, in handle
    await self.app(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 76, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    raise exc
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/_exception_handler.py", line 42, in wrapped_app
    await app(scope, receive, sender)
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/routing.py", line 73, in app
    response = await f(request)
               ^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/routing.py", line 301, in app
    raw_response = await run_endpoint_function(
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/fastapi/routing.py", line 214, in run_endpoint_function
    return await run_in_threadpool(dependant.call, **values)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/starlette/concurrency.py", line 37, in run_in_threadpool
    return await anyio.to_thread.run_sync(func)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/anyio/to_thread.py", line 56, in run_sync
    return await get_async_backend().run_sync_in_worker_thread(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 2470, in run_sync_in_worker_thread
    return await future
           ^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/anyio/_backends/_asyncio.py", line 967, in run
    result = context.run(func, *args)
             ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/api_fastapi/routes/login.py", line 38, in create_token
    return FABAuthManagerLogin.create_token(body=body)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/api_fastapi/services/login.py", line 51, in create_token
    user = auth_manager.security_manager.auth_user_ldap(body.username, body.password)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 1893, in auth_user_ldap
    self._rotate_session_id()
  File "/home/airflow/.local/lib/python3.12/site-packages/airflow/providers/fab/auth_manager/security_manager/override.py", line 2201, in _rotate_session_id
    session.sid = str(uuid.uuid4())
    ^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/werkzeug/local.py", line 316, in __get__
    obj = instance._get_current_object()
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/airflow/.local/lib/python3.12/site-packages/werkzeug/local.py", line 513, in _get_current_object
    raise RuntimeError(unbound_message) from None
RuntimeError: Working outside of request context.
This typically means that you attempted to use functionality that needed
an active HTTP request. Consult the documentation on testing for
information about how to avoid this problem.

@vincbeck
Copy link
Contributor Author

vincbeck commented Jun 27, 2025
edited
Loading

Thank you to both of you for testing it! Very much appreciated it. And thank you @yanshil for suggesting a fix. You're actually right, I missed that but self._rotate_session_id() is also called in auth_user_ldap. I updated the PR to include that fix. If you could test it again, it would be great! Thanks again!

@vincbeck vincbeck force-pushed the vincbeck/fab_ldap branch from 570cfd2 to cc144cb Compare June 27, 2025 14:57
@nicnguyen3103
Copy link

nicnguyen3103 commented Jun 28, 2025
edited
Loading

Hi @vincbeck , I have setup a local api-server with LDAP. Everything works fine from myside. Will try a full docker compose setup now to see if there is any persistence issue

`INFO:     Application startup complete.
[2025-06-28T20:55:21.521+0700] {override.py:2233} DEBUG - LDAP bind indirect TRY with username: '\x1b[1mcn=admin,dc=netflux,dc=com\x1b[22m'
[2025-06-28T20:55:21.531+0700] {override.py:2235} DEBUG - LDAP bind indirect SUCCESS with username: '\x1b[1mcn=admin,dc=netflux,dc=com\x1b[22m'
[2025-06-28T20:55:21.531+0700] {override.py:2269} DEBUG - LDAP search for '\x1b[1m(cn=nic)\x1b[22m' with fields ['givenName', 'sn', 'mail', 'memberOf'] in scope '\x1b[1mdc=netflux,dc=com\x1b[22m'
[2025-06-28T20:55:21.535+0700] {override.py:2278} DEBUG - LDAP search returned: [('cn=nic,dc=netflux,dc=com', {'memberOf': [b'cn=Admin,ou=Groups,dc=netflux,dc=com'], 'givenName': [b'Nic'], 'sn': [b'Nic'], 'mail': [b'[email protected]']})]
[2025-06-28T20:55:21.535+0700] {override.py:2308} DEBUG - LDAP bind TRY with username: '\x1b[1mcn=nic,dc=netflux,dc=com\x1b[22m'
[2025-06-28T20:55:21.536+0700] {override.py:2310} DEBUG - LDAP bind SUCCESS with username: '\x1b[1mcn=nic,dc=netflux,dc=com\x1b[22m'
[2025-06-28T20:55:21.538+0700] {override.py:1869} DEBUG - Calculated new roles for user='\x1b[1mcn=nic,dc=netflux,dc=com\x1b[22m' as: [Admin, Public]
[2025-06-28T20:55:21.539+0700] {override.py:1434} INFO - Updated user Nic Nic
INFO:     127.0.0.1:59481 - "POST /auth/token HTTP/1.1" 201 Created

From LDAP server:

ldap-server-1  | 685ff449 conn=1013 fd=12 ACCEPT from IP=192.168.65.1:38775 (IP=0.0.0.0:389)
ldap-server-1  | 685ff449 conn=1013 op=0 BIND dn="cn=admin,dc=netflux,dc=com" method=128
ldap-server-1  | 685ff449 conn=1013 op=0 BIND dn="cn=admin,dc=netflux,dc=com" mech=SIMPLE ssf=0
ldap-server-1  | 685ff449 conn=1013 op=0 RESULT tag=97 err=0 text=
ldap-server-1  | 685ff449 conn=1013 op=1 SRCH base="dc=netflux,dc=com" scope=2 deref=0 filter="(cn=nic)"
ldap-server-1  | 685ff449 conn=1013 op=1 SRCH attr=givenName sn mail memberOf
ldap-server-1  | 685ff449 <= mdb_equality_candidates: (cn) not indexed
ldap-server-1  | 685ff449 conn=1013 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
ldap-server-1  | 685ff449 conn=1013 op=2 BIND anonymous mech=implicit ssf=0
ldap-server-1  | 685ff449 conn=1013 op=2 BIND dn="cn=nic,dc=netflux,dc=com" method=128
ldap-server-1  | 685ff449 conn=1013 op=2 BIND dn="cn=nic,dc=netflux,dc=com" mech=SIMPLE ssf=0
ldap-server-1  | 685ff449 conn=1013 op=2 RESULT tag=97 err=0 text=
ldap-server-1  | 685ff449 conn=1013 op=3 UNBIND
ldap-server-1  | 685ff449 conn=1013 fd=12 closed

@jpizquierdo
Copy link
Contributor

Tested and working over here with latest helmchart, thanks

@vincbeck vincbeck marked this pull request as ready for review June 30, 2025 13:42
@eladkal
Copy link
Contributor

eladkal commented Jun 30, 2025

I think we need some doc entries leting users know about this option and how to configure it

@vincbeck
Copy link
Contributor Author

I think we need some doc entries leting users know about this option and how to configure it

I think the doc already mention LDAP (see here), the actual issue is that the code did not handle it. We could potentially mention here that only users from DB LDAP can get such token. WDYT?

@eladkal
Copy link
Contributor

eladkal commented Jun 30, 2025

Sounds good

@vincbeck vincbeck force-pushed the vincbeck/fab_ldap branch from cc144cb to a17d236 Compare June 30, 2025 15:15
@vincbeck
Copy link
Contributor Author

Done :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@potiuk potiuk potiuk approved these changes

Assignees
No one assigned
Labels
area:providers provider:fab
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

JWT Token Generation Fails for LDAP Users in Airflow 3.0 with FAB Auth Manager
7 participants
@vincbeck @yanshil @joel-perez-1991 @nicnguyen3103 @jpizquierdo @eladkal @potiuk