Issues with configuring airflow 2.6.3/python3.11 with LDAP

[zhouxm2022]

Apache Airflow version

Other Airflow 2 version (please specify below)

If "Other Airflow 2 version" selected, which one?

2.6.3

What happened?

It seems that ldap indirect bind/search/bind work based on following log messages. and the role [admin] is resolved too. However, login page is redirected to login page. I checked ab_user_role table, it looks good. the last_login and login_count in ab_user table looks good too. before I switched to LDAP, AUTH_DB works fine. it seems the resolved role doesn't take effective in UI login flow. I also didn't any messages/errors in the log. could someone advise how to troubleshoot /debug it further?

Thanks in advance! Xiaoming

{manager.py:1025} DEBUG - LDAP bind indirect TRY with username: '\x1b[01mCN=s700xxx,...\x1b[22m'

{manager.py:1027} DEBUG - LDAP bind indirect SUCCESS with username: '\x1b[01mCN=s700xxx,...\x1b[22m'

{manager.py:961} DEBUG - LDAP search for '\x1b[01m(cn=s700xxx)\x1b[22m' with fields ['givenName', 'sn', 'mail', 'memberOf'] in scope '\x1b[01mOU=....\x1b[22m's700xxx

{manager.py:967} DEBUG - LDAP search returned: [('CN=s700xxx,....', {'sn': [b'ZhXX'], 'givenName': [b'XXX'], 'memberOf': [b'CN=XX,OU=...' ], 'mail': [b'xx@example.com']})]

{manager.py:1036} DEBUG - LDAP bind TRY with username: '\x1b[01mCN=s700xxx,....\x1b[22m'

{manager.py:1038} DEBUG - LDAP bind SUCCESS with username: '\x1b[01mCN=s700xxx,....\x1b[22m'

{manager.py:1198} DEBUG - Calculated new roles for user='\x1b[01mCN=s700xxx,...\x1b[22m' as: [Admin]

What you think should happen instead?

A user should see the main UI page.

How to reproduce

it depends on webserver_config.py

Operating System

Redhat v8.9

Versions of Apache Airflow Providers

No response

Deployment

Other

Deployment details

pip install

Anything else?

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg[bot]]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[romsharon98]

can you add your webserver_config.py?
did you try cleaning cookies?

[Taragolis]

This feature provided by the FAB (Flask App Builder), so you should check the documentation there https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap

[zhouxm2022]

@Taragolis ,Yes. I read it.

@romsharon98. I uses DB to store session at this moment, plan to switch to cookies. it appears there is a bug. when I use 4 webserver worker by default, I got duplicated session key errors. then I changed to 1 worker. it works fine. I also need disable CSRF token because there are errors in the log.

Thanks, Xiaoming

"""Default configuration for the Airflow webserver."""
from future import annotations
import os

from airflow.www.fab_security.manager import AUTH_LDAP
basedir = os.path.abspath(os.path.dirname(file))

WTF_CSRF_ENABLED = False
WTF_CSRF_TIME_LIMIT = None
AUTH_TYPE = AUTH_LDAP
AUTH_USER_REGISTRATION = True

AUTH_USER_REGISTRATION_ROLE = "Admin"

AUTH_ROLE_ADMIN = 'Admin'

AUTH_LDAP_SERVER = "ldap://example.com"
AUTH_LDAP_USE_TLS = False
AUTH_LDAP_SEARCH = "OU=Canada,OU=...."
AUTH_LDAP_UID_FIELD = "cn"
AUTH_LDAP_BIND_USER = "CN=s700xxx,..."
AUTH_LDAP_BIND_PASSWORD = "xyz123"
AUTH_ROLES_MAPPING = {
"CN=xxx,OU=Users_Groups,DC=example,DC=com": ["Admin"],
}
AUTH_LDAP_GROUP_FIELD = "memberOf"
AUTH_ROLES_SYNC_AT_LOGIN = True
PERMANENT_SESSION_LIFETIME = 1800