feat: add ldap configuration

- add group members to jupyterhub_user
- add svc_jupyterhub user for ldap binding
- paramatarise all ldap fields required
- manage the notebook data directory

hieradata/roles/apps/jupyter/hub.eyaml

@@ -0,0 +1 @@
+profiles::jupyter::jupyterhub::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJspN3e2WzA0uZaLgFZ0Ewqii9dY0tTgbirsW70M2VZtLY+s+C6HE8ZZUtpfnRsFwUUhOj7s25X9xVOZNTpZIGPyfx9MWlSyFw2RFuXSEwaydf1DcBbg8261YrTTysA4Jsa1L4DLsX55q+XJUyeUbimVQkIacVIvzTdnZCBKnVNUh3U2PNAmV7SOL2KH8Jpbfs/EQfBt8XuGMCg3I/4RDyoNERqthW6W2KiMX2Gmd8iQ5+W9udH0lEAMx415oyImmN+dEuThcx9FGMi8BWYtnxH96yWafpT5qltwW6EVzIGWuLhiD1LcWYc5RB8jc3DhbeouChpKsN6c4EHoKt3aWsTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC8jcnqilJgY1/AnHWHfX4bgDCi2a3Rj43Z0dgfB5HaHdpfked3Cx+u94r2S5+Cg3QogU1AIF04rjzOL+bD2HdaMfo=]

hieradata/roles/infra/auth/glauth.yaml

@@ -63,7 +63,8 @@ glauth::users:
       - 20018
       - 20023
       - 20024
-      - 20025
+      - 20025   # jupyterhub_admin
+      - 20026   # jupyterhub_user
     loginshell: '/bin/bash'
     homedir: '/home/benvin'
     passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
@@ -242,6 +243,12 @@ glauth::services:
     uidnumber: 30009
     primarygroup: 20001
     passsha256: 'd63b04884d5c7d630b0c06896046065a0926ac5c3d6177ef85320e5fa1be00b9'
+  svc_jupyterhub:
+    service_name: 'svc_jupyterhub'
+    mail: 'jupyterhub@service.main.unkin.net'
+    uidnumber: 30010
+    primarygroup: 20001
+    passsha256: '09db1e0c2498214da35f3f2ed46a90a7b90635c207f8725e7abf76b48345a39b'
 
 glauth::groups:
   users:

site/profiles/manifests/jupyter/jupyterhub.pp

@@ -3,6 +3,7 @@ class profiles::jupyter::jupyterhub (
   Stdlib::AbsolutePath  $base_path = '/opt/jupyterhub',
   Stdlib::AbsolutePath  $venv_path = "${base_path}/venv",
   Stdlib::AbsolutePath  $config_path = "${base_path}/config.py",
+  Stdlib::AbsolutePath  $notebook_path = '/home/jupyter/work',
   Hash                  $vault_config = {},
   String                $owner = 'jupyterhub',
   String                $group = 'jupyterhub',
@@ -13,13 +14,19 @@ class profiles::jupyter::jupyterhub (
     'dockerspawner',
     'jupyterhub-ldapauthenticator',
   ],
-  String  $ldap_server_address    = 'ldap://ldap.service.consul',
-  String  $ldap_bind_dn_template  = 'cn={username},ou=people,ou=users,dc=main,dc=unkin,dc=net',
-  Boolean $ldap_use_ssl           = false,
-  Array   $ldap_allowed_groups    = ['ou=jupyterhub_user,ou=groups,dc=main,dc=unkin,dc=net'],
-  Array   $ldap_admin_users       = [],
-  String  $docker_image           = 'git.query.consul/unkin/almalinux8-jupyterinstance:latest',
-  String  $docker_network         = 'jupyterhub',
+  String  $ldap_server_address      = 'ldap://ldap.service.consul',
+  String  $ldap_tls_strategy        = 'insecure',
+  Array   $ldap_allowed_groups      = ['ou=jupyterhub_user,ou=groups,dc=main,dc=unkin,dc=net'],
+  Array   $ldap_admin_users         = [],
+  String  $ldap_bind_user           = 'cn=svc_jupyterhub,ou=services,ou=users,dc=main,dc=unkin,dc=net',
+  String  $ldap_bind_pass           = 'change-me',
+  String  $ldap_user_search_base    = 'ou=people,ou=users,dc=main,dc=unkin,dc=net',
+  String  $ldap_user_search_filter  = '({login_attr}={login})',
+  String  $ldap_group_search_filter = '(uniqueMember={userdn})',
+  String  $ldap_user_attribute      = 'uid',
+  String  $ldap_user_dn_attribute   = 'cn',
+  String  $docker_image             = 'git.query.consul/unkin/almalinux8-jupyterinstance:latest',
+  String  $docker_network           = 'bridge',
 ){
 
   # ensure nodejs:20 is installed
@@ -93,7 +100,7 @@ class profiles::jupyter::jupyterhub (
       username => $owner,
       uid      => 1101,
       gid      => 1101,
-      groups   => ['systemd-journal'],
+      groups   => ['systemd-journal', 'docker'],
       system   => true,
     }
 
@@ -107,11 +114,5 @@ class profiles::jupyter::jupyterhub (
       ],
     }
 
-    ## create symbolic link in $PATH
-    #file { "/usr/local/bin/${script_name}":
-    #  ensure  => 'link',
-    #  target  => "${base_path}/${script_name}",
-    #  require => File["${base_path}/${script_name}"],
-    #}
   }
 }

site/profiles/templates/jupyterhub/config.py.erb

@@ -16,12 +16,11 @@ c.DockerSpawner.image = '<%= @docker_image %>'
 c.DockerSpawner.network_name = '<%= @docker_network %>'
 
 # Notebook directory and mount location
-notebook_dir = '/home/jupyter/work'
-c.DockerSpawner.notebook_dir = notebook_dir
+c.DockerSpawner.notebook_dir = '<%= @notebook_path %>'
 
 # Optional: Volume mapping for user data persistence
 c.DockerSpawner.volumes = {
-    'jupyterhub-user-{username}': notebook_dir
+  'jupyterhub-user-{username}': '<%= @notebook_path %>'
 }
 
 # DockerSpawner options
@@ -33,11 +32,20 @@ c.JupyterHub.authenticator_class = 'ldapauthenticator.LDAPAuthenticator'
 
 # LDAP Server settings
 c.LDAPAuthenticator.server_address = '<%= @ldap_server_address %>'
-c.LDAPAuthenticator.bind_dn_template = '<%= @ldap_bind_dn_template %>'
-c.LDAPAuthenticator.use_ssl = <%= @ldap_use_ssl ? 'True' : 'False' %>
+c.LDAPAuthenticator.tls_strategy = '<%= @ldap_tls_strategy %>'
 
 # Restrict access to a specific LDAP group
 c.LDAPAuthenticator.allowed_groups = <%= @ldap_allowed_groups.to_s %>
 
 # List LDAP users as admins
 c.LDAPAuthenticator.admin_users = <%= @ldap_admin_users.to_s %>
+
+# Lookup settings
+c.LDAPAuthenticator.lookup_dn = True
+c.LDAPAuthenticator.lookup_dn_search_filter = '<%= @ldap_user_search_filter %>'
+c.LDAPAuthenticator.lookup_dn_search_user = '<%= @ldap_bind_user %>'
+c.LDAPAuthenticator.lookup_dn_search_password = '<%= @ldap_bind_pass %>'
+c.LDAPAuthenticator.user_search_base = '<%= @ldap_user_search_base %>'
+c.LDAPAuthenticator.user_attribute = '<%= @ldap_user_attribute %>'
+c.LDAPAuthenticator.lookup_dn_user_dn_attribute = '<%= @ldap_user_dn_attribute %>'
+c.LDAPAuthenticator.group_search_filter = '<%= @ldap_group_search_filter %>'