AD Authentication 500 error caused by REDASH_LDAP_EMAIL_KEY

Issue Summary

I’m trying to get AD authentication working with Redash as per https://redash.io/help/open-source/admin-guide/ldap-authentication but I keep encountering a 500 Internal Server error caused by ldap3 package. The error occurs when I browse to https://redash.example.com/ldap/login and enter my credentials.

I’m not sure of the purpose of REDASH_LDAP_EMAIL_KEY or REDASH_LDAP_DISPLAY_NAME_KEY and not sure if I need a custom entry for them in my environment.

My /opt/redash/env file looks like:

PYTHONUNBUFFERED=0
REDASH_LOG_LEVEL=INFO
REDASH_REDIS_URL=redis://redis:6379/0
POSTGRES_PASSWORD=password
REDASH_COOKIE_SECRET=secret
REDASH_SECRET_KEY=key
REDASH_DATABASE_URL=postgresql://url
REDASH_LDAP_LOGIN_ENABLED=true
REDASH_LDAP_URL=ldaps://ad.example.com:636
REDASH_LDAP_BIND_DN=auth@example.com
REDASH_LDAP_BIND_DN_PASSWORD=password
REDASH_LDAP_SEARCH_TEMPLATE=(sAMAccountName=%(username)s)
REDASH_LDAP_SEARCH_DN=OU=Users,OU=Unit,DC=example,DC=com

The error from docker logs --tail 50 --follow --timestamps redash_server_1:

2021-04-12T04:15:57.859933817Z [2021-04-12 04:15:57,857] ERROR in app: Exception on /ldap/login [POST]
2021-04-12T04:15:57.860023611Z Traceback (most recent call last):
2021-04-12T04:15:57.860030407Z   File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1982, in wsgi_app
2021-04-12T04:15:57.860052847Z     response = self.full_dispatch_request()
2021-04-12T04:15:57.860057089Z   File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1614, in full_dispatch_request
2021-04-12T04:15:57.860060623Z     rv = self.handle_user_exception(e)
2021-04-12T04:15:57.860063949Z   File "/usr/local/lib/python2.7/site-packages/flask_restful/__init__.py", line 271, in error_router
2021-04-12T04:15:57.860067388Z     return original_handler(e)
2021-04-12T04:15:57.860070597Z   File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1517, in handle_user_exception
2021-04-12T04:15:57.860073996Z     reraise(exc_type, exc_value, tb)
2021-04-12T04:15:57.860077261Z   File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1612, in full_dispatch_request
2021-04-12T04:15:57.860080978Z     rv = self.dispatch_request()
2021-04-12T04:15:57.860084186Z   File "/usr/local/lib/python2.7/site-packages/flask/app.py", line 1598, in dispatch_request
2021-04-12T04:15:57.860088311Z     return self.view_functions[rule.endpoint](**req.view_args)
2021-04-12T04:15:57.860091604Z   File "/app/redash/authentication/ldap_auth.py", line 45, in login
2021-04-12T04:15:57.860094926Z     ldap_user[settings.LDAP_EMAIL_KEY][0]
2021-04-12T04:15:57.860098094Z   File "/usr/local/lib/python2.7/site-packages/ldap3/abstract/attribute.py", line 84, in __getitem__
2021-04-12T04:15:57.860101513Z     return self.values[item]
2021-04-12T04:15:57.860104797Z IndexError: list index out of range
2021-04-12T04:15:57.861213002Z [2021-04-12 04:15:57,860][PID:18][INFO][metrics] method=POST path=/ldap/login endpoint=ldap_auth_login status=500 content_type=? content_length=-1 duration=274.50 query_count=0 query_duration=0.00
2021-04-12T04:15:58.124549509Z [2021-04-12 04:15:58,124][PID:18][INFO][metrics] method=GET path=/favicon.ico endpoint=redash_index status=302 content_type=text/html; charset=utf-8 content_length=333 duration=1.81 query_count=0 query_duration=0.00

Technical details:

• Redash Version: 8.0.2:b37747
• Browser/OS: Ubuntu 18.04
• How did you install Redash: setup.sh (note, ldap3 was installed on redash_server_1 by docker exec -u 0 -it redash_server_1 /bin/bash)

On my side, I’ve tested both solutions and it works for me with LADP ldap3==2.9

#1 build from redash docker
Create a docker file with the following content

Docker file
FROM redash/redash:8.0.2.b37747
USER root
RUN pip install ldap3 greenlet==0.4.16
USER redash

docker build .

#2 rebuild from source

• update requirements.txt (last line) by uncommenting LDAP

docker build .

=> Deploy as you used to do…

The env variables I had to setup:

  REDASH_LDAP_AUTH_METHOD: ANONYMOUS
  REDASH_LDAP_CUSTOM_USERNAME_PROMPT: "YOUR LOGIN :"
  REDASH_LDAP_DISPLAY_NAME_KEY: "cn"
  REDASH_LDAP_LOGIN_ENABLED: "true"
  REDASH_LDAP_SEARCH_DN: "o=my_great_company"
  REDASH_LDAP_SEARCH_TEMPLATE: "(uid=%(username)s)"
  REDASH_LDAP_URL: ldap.my_great_company:389

I did not set anything regarding REDASH_LDAP_EMAIL

Thanks but this didn’t work. I did not build from source; I use docker-compose. So, updating the env file, I would run docker-compose up -d to update the containers, then run docker-compose restart to restart the containers.

I figured this out. In our environment, users in AD aren’t assigned anything in the “mail” attribute. So, the ldap3 library was pulling an empty email and error due to it requiring something. Changing the environment variable REDASH_LDAP_EMAIL_KEY in the env file to REDASH_LDAP_EMAIL_KEY=userPrincipalName fixed this issue.