I've gotten ldap authentication to work within airflow, but it's allowing any user we have in our directory to login. While it's only showing admin privs for members of the airflow-admin AD group, i would expect users that aren't a member of airflow-admin or airflow-profiler groups to be denied access and this isn't the case. Here's my config:
[webserver]
authenticate = True
auth_backend = airflow.contrib.auth.backends.ldap_auth
[ldap]
uri = ldaps://ldaps.mydomain.com:636
user_filter = objectClass=person
user_name_attr = sAMAccountName
group_member_attr = memberOf
superuser_filter = memberOf=CN=airflow-admin,OU=Users,DC=mydomain,DC=com
data_profiler_filter = memberOf=CN=airflow-profiler,OU=Users,DC=mydomain,DC=com
bind_user = cn=ldapadmin,ou=Admins,dc=mydomain,dc=com
bind_password = ******
basedn = dc=mydomain,dc=com
cacert = /usr/local/share/ca-certificates/mydomain.crt
search_scope = SUBTREE
I see several other similar posts with no resolution, i'm beginning to wonder if this even works. Here's a link to the airflow doc section on ldap. https://airflow.apache.org/security.html?#ldap
Have you tried to filter them out via the user_filter?
The following should only allow users in one of the two mentioned groups access. Unfortunately I do not have Airflow to test and verify this.
user_filter = |(memberOf=CN=airflow-admin,OU=Users,DC=mydomain,DC=com)(memberOf=CN=airflow-profiler,OU=Users,DC=mydomain,DC=com)