Dex Auth with TLS LDAP Connection Certs

Get Help
1

Hello,

Is it possible to get Dex OpenLDAP to use TLS cert for connection?

Trying to get an OOD install integrated with a Bright cluster’s provided OpenLDAP.

  • The host that OOD is installed on is integrated (pam_ldap) so base auth tested working.
  • OOD and Dex are configured with SSL certificates and portal comes up.
  • OpenLDAP in Bright requires TLS certificate to connect.

The following error shows up on attempting login.

Internal Server Error

Login error: ldap: initial bind for user “cn=readonlyroot,dc=cm,dc=cluster” failed: unable to read LDAP response packet: remote error: tls: certificate required

These are the certificates listed in LDAP client configuration:

TLS_CACERT /cm/local/apps/openldap/etc/certs/ca.pem
TLS_CERT /cm/local/apps/openldap/etc/certs/ldap.pem
TLS_KEY /cm/local/apps/openldap/etc/certs/ldap.key

This is current dex ldap configuration (copied ca.pem out of location above to ldapca.pem below)

dex_uri: /dex
dex:
    ssl: true
    connectors:
        - type: ldap
          id: ldap
          name: LDAP
          config:
            host: ldapserver:636
            insecureSkipVerify: false
            rootCA: /cm/shared/certs/ldapca.pem
            bindDN: cn=readonlyroot,dc=cm,dc=cluster
            bindPW: jumbles
            userSearch:
              baseDN: dc=cm,dc=cluster
              filter: "(objectClass=posixAccount)"
              username: uid
              idAttr: uid
              emailAttr: mail
              nameAttr: gecos
              preferredUsernameAttr: uid
2

You’ll want to look at the OOD Dex configuration reference page:
https://osc.github.io/ood-documentation/latest/authentication/dex.html#ondemand-dex-configuration-reference

With the end result of:

dex:
  # Default based on if ssl key for ood-portal-generator is defined
  ssl: true
  ...
  # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
  tls_cert: /cm/local/apps/openldap/etc/certs/ldap.pem
  tls_key: /cm/local/apps/openldap/etc/certs/ldap.key
  ...

The attributes you want are tls_certand tls_key which you can then issue the rebuild with update_ood_portal.

Let me know if you still have issues.

3

Looks like this only updates the “web cert” if it needs to be different from the OOD web cert.

Couldn’t find docs, but was able to find a fix by digging in DEX github issues. This commit in partitcular showed added feature to connector: Merge pull request #1278 from veily/master · dexidp/dex@ff70c04 · GitHub

Tried these “clientCert” and “clientKey” settings and LDAP lookups seems to work now.

dex:
    ssl: true
    connectors:
        - type: ldap
          id: ldap
          name: LDAP
          config:
            host: ldapserver:636
            insecureSkipVerify: false
            rootCA: /cm/shared/certs/ldapca.pem
            clientCert: /cm/shared/certs/ldap.pem
            clientKey: /cm/shared/certs/ldap.key
.....
...
4

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.