[root@aplcdhen01 config]# rpm -q ondemand-dex
ondemand-dex-2.24.0-8.el7.x86_64
[root@aplcdhen01 config]# rpm -q ondemand
ondemand-1.6.25-1.el7.x86_64
[root@aplcdhen01 config]# ls -l /usr/sbin/ondemand-dex
-rwxr-xr-x 1 root root 24754216 Aug 6 15:30 /usr/sbin/ondemand-dex
[root@aplcdhen01 config]#
[root@aplcdhen01 config]# ls -l /etc/ood/dex/
total 4
-rw------- 1 ondemand-dex ondemand-dex 3508 Nov 3 19:33 config.yaml
Your version of OnDemand is too old to support Dex directly. You will need to upgrade to latest 1.8 release which is 1.8.12. Here are steps: https://osc.github.io/ood-documentation/latest/release-notes/v1.8-release-notes.html#upgrading-from-v1-7
There is one special step for upgrading from 1.6: https://osc.github.io/ood-documentation/latest/release-notes/v1.8-release-notes.html#upgrading-from-v1-6
While it’s possible to run mod_auth_openidc in such a way to support Dex without upgrading, I would strongly recommend upgrading as OIDC authentication was made much easier with the 1.8 release. If for some reason you cannot upgrade then you will have to configure mod_auth_openidc with all the necessary values similar to my previous grep
output, just substitute your values. They could go into a file like /opt/rh/httpd24/root/etc/httpd/conf.d/auth_oidc.conf
. Also you will have to configure Dex manually if you can not upgrade as the automatic Dex configuration steps taken by OnDemand were added in 1.8.
Thanks, I upgraded, now see the following errors:
[Wed Nov 04 13:21:00.837888 2020] [auth_openidc:error] [pid 29084] [client 10.100.10.124:49250] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:699: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]
[Wed Nov 04 13:21:00.837968 2020] [auth_openidc:error] [pid 29084] [client 10.100.10.124:49250] oidc_authenticate_user: the URL hostname (localhost) of the configured OIDCRedirectURI does not match the URL hostname of the URL being accessed (ondemand.jhuapl.edu): the “state” and “session” cookies will not be shared between the two!
cat /etc/ood/config/ood_portal.yml
# Ansible managed
---
servername: ondemand.jhuapl.edu
port: '443'
ssl:
- 'SSLCertificateFile /etc/pki/tls/certs/aplcdhen01.jhuapl.edu.pem'
- 'SSLCertificateKeyFile /etc/pki/tls/private/aplcdhen01.jhuapl.edu.key'
- 'SSLCertificateChainFile /etc/pki/tls/certs/aplcdhen01.jhuapl.edu.pem'
auth:
- 'AuthType openid-connect'
- 'Require valid-user'
dex:
client_secret: 334389048b872a533002b34d73f8c29fd09efc50
client_id: localhost
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: aplid.jhuapl.edu:636
insecureSkipVerify: false
userSearch:
baseDN: cn=users,dc=jhuapl,dc=edu
filter: "(objectClass=person)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: displayName
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=Groups,dc=dom1-proxy,dc=apl-staging
filter: "(objectClass=group)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
frontend:
theme: ondemand
[root@aplcdhen01 ~]# cat /etc/ood/dex/config.yaml
---
issuer: https://ondemand.jhuapl.edu:5554
storage:
type: sqlite3
config:
file: "/etc/ood/dex/dex.db"
web:
http: 0.0.0.0:5556
https: 0.0.0.0:5554
tlsCert: "/etc/ood/dex/aplcdhen01.jhuapl.edu.pem"
tlsKey: "/etc/ood/dex/aplcdhen01.jhuapl.edu.key"
telemetry:
http: 0.0.0.0:5558
staticClients:
- id: localhost
redirectURIs:
- https://localhost/oidc
name: OnDemand
secret: 334389048b872a533002b34d73f8c29fd09efc50
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: aplid.jhuapl.edu:636
insecureSkipVerify: false
userSearch:
baseDN: cn=users,dc=jhuapl,dc=edu
filter: "(objectClass=person)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: displayName
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=Groups,dc=dom1-proxy,dc=apl-staging
filter: "(objectClass=group)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
oauth2:
skipApprovalScreen: true
enablePasswordDB: false
frontend:
dir: "/usr/share/ondemand-dex/web"
theme: ondemand
Remove client_id: localhost
from your dex
configuration in ood_portal.yml
as that is used to build the OIDCRedirectURI
. The client ID will automatically be populated based on the value you supplied for servername
so it’s fine to omit the value. If you want to continue setting client_id
then set it to same value as servername
. With OnDemand the only thing under dex
you must set is connectors
. All the other items will be automatically set to appropriate values for you.
Thanks! That worked. Now it looks like there are formatting issues with the page, but I would assume you would want to track that as a separate topic/issue, correct?
If the issue is formatting issues with Dex then I think this thread is fine, otherwise a new thread might be better.
I started another thread, thanks.