Dex Auth with TLS LDAP Connection Certs

ncarl · April 18, 2023, 8:17pm

Hello,

Is it possible to get Dex OpenLDAP to use TLS cert for connection?

Trying to get an OOD install integrated with a Bright cluster’s provided OpenLDAP.

The host that OOD is installed on is integrated (pam_ldap) so base auth tested working.
OOD and Dex are configured with SSL certificates and portal comes up.
OpenLDAP in Bright requires TLS certificate to connect.

The following error shows up on attempting login.

Internal Server Error

Login error: ldap: initial bind for user “cn=readonlyroot,dc=cm,dc=cluster” failed: unable to read LDAP response packet: remote error: tls: certificate required

These are the certificates listed in LDAP client configuration:

TLS_CACERT /cm/local/apps/openldap/etc/certs/ca.pem
TLS_CERT /cm/local/apps/openldap/etc/certs/ldap.pem
TLS_KEY /cm/local/apps/openldap/etc/certs/ldap.key

This is current dex ldap configuration (copied ca.pem out of location above to ldapca.pem below)

dex_uri: /dex
dex:
    ssl: true
    connectors:
        - type: ldap
          id: ldap
          name: LDAP
          config:
            host: ldapserver:636
            insecureSkipVerify: false
            rootCA: /cm/shared/certs/ldapca.pem
            bindDN: cn=readonlyroot,dc=cm,dc=cluster
            bindPW: jumbles
            userSearch:
              baseDN: dc=cm,dc=cluster
              filter: "(objectClass=posixAccount)"
              username: uid
              idAttr: uid
              emailAttr: mail
              nameAttr: gecos
              preferredUsernameAttr: uid

travert · April 18, 2023, 9:41pm

You’ll want to look at the OOD Dex configuration reference page:
https://osc.github.io/ood-documentation/latest/authentication/dex.html#ondemand-dex-configuration-reference

With the end result of:

dex:
  # Default based on if ssl key for ood-portal-generator is defined
  ssl: true
  ...
  # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
  tls_cert: /cm/local/apps/openldap/etc/certs/ldap.pem
  tls_key: /cm/local/apps/openldap/etc/certs/ldap.key
  ...

The attributes you want are tls_certand tls_key which you can then issue the rebuild with update_ood_portal.

Let me know if you still have issues.

ncarl · April 20, 2023, 9:01pm

Looks like this only updates the “web cert” if it needs to be different from the OOD web cert.

Couldn’t find docs, but was able to find a fix by digging in DEX github issues. This commit in partitcular showed added feature to connector: Merge pull request #1278 from veily/master · dexidp/dex@ff70c04 · GitHub

Tried these “clientCert” and “clientKey” settings and LDAP lookups seems to work now.

dex:
    ssl: true
    connectors:
        - type: ldap
          id: ldap
          name: LDAP
          config:
            host: ldapserver:636
            insecureSkipVerify: false
            rootCA: /cm/shared/certs/ldapca.pem
            clientCert: /cm/shared/certs/ldap.pem
            clientKey: /cm/shared/certs/ldap.key
.....
...

system · October 17, 2023, 9:02pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dex with LDAP giving internal server error (round 2) Get Help	18	1354	November 7, 2022
Dex with LDAP giving internal server error Get Help	8	1595	September 17, 2022
Unable to get LDAP working in Dex Get Help	4	620	April 4, 2022
LDAP certificate not valid for any names Get Help	4	300	January 21, 2024
Latest ondemand-dex (2.36.0-1.el7.x86_64) might break LDAP authentication Get Help	3	269	January 1, 2024

Dex Auth with TLS LDAP Connection Certs

Related Topics