Dex LDAP not working

[root@aplcdhen01 config]# rpm -q ondemand-dex
ondemand-dex-2.24.0-8.el7.x86_64
[root@aplcdhen01 config]# rpm -q ondemand
ondemand-1.6.25-1.el7.x86_64
[root@aplcdhen01 config]# ls -l /usr/sbin/ondemand-dex
-rwxr-xr-x 1 root root 24754216 Aug 6 15:30 /usr/sbin/ondemand-dex
[root@aplcdhen01 config]#
[root@aplcdhen01 config]# ls -l /etc/ood/dex/
total 4
-rw------- 1 ondemand-dex ondemand-dex 3508 Nov 3 19:33 config.yaml

Your version of OnDemand is too old to support Dex directly. You will need to upgrade to latest 1.8 release which is 1.8.12. Here are steps: https://osc.github.io/ood-documentation/latest/release-notes/v1.8-release-notes.html#upgrading-from-v1-7

There is one special step for upgrading from 1.6: https://osc.github.io/ood-documentation/latest/release-notes/v1.8-release-notes.html#upgrading-from-v1-6

While it’s possible to run mod_auth_openidc in such a way to support Dex without upgrading, I would strongly recommend upgrading as OIDC authentication was made much easier with the 1.8 release. If for some reason you cannot upgrade then you will have to configure mod_auth_openidc with all the necessary values similar to my previous grep output, just substitute your values. They could go into a file like /opt/rh/httpd24/root/etc/httpd/conf.d/auth_oidc.conf. Also you will have to configure Dex manually if you can not upgrade as the automatic Dex configuration steps taken by OnDemand were added in 1.8.

Thanks, I upgraded, now see the following errors:

[Wed Nov 04 13:21:00.837888 2020] [auth_openidc:error] [pid 29084] [client 10.100.10.124:49250] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:699: oidc_jwe_decrypt_impl]: encrypted JWT could not be decrypted with any of the 1 keys: error for last tried key is: crypto error [file: jwe.c, function: _cjose_jwe_decrypt_dat_a256gcm, line: 1263]
[Wed Nov 04 13:21:00.837968 2020] [auth_openidc:error] [pid 29084] [client 10.100.10.124:49250] oidc_authenticate_user: the URL hostname (localhost) of the configured OIDCRedirectURI does not match the URL hostname of the URL being accessed (ondemand.jhuapl.edu): the “state” and “session” cookies will not be shared between the two!

cat /etc/ood/config/ood_portal.yml
# Ansible managed
---
servername: ondemand.jhuapl.edu
port: '443'

ssl:
- 'SSLCertificateFile /etc/pki/tls/certs/aplcdhen01.jhuapl.edu.pem'
- 'SSLCertificateKeyFile /etc/pki/tls/private/aplcdhen01.jhuapl.edu.key'
- 'SSLCertificateChainFile /etc/pki/tls/certs/aplcdhen01.jhuapl.edu.pem'

auth:
- 'AuthType openid-connect'
- 'Require valid-user'

dex:
  client_secret: 334389048b872a533002b34d73f8c29fd09efc50
  client_id: localhost
  connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: aplid.jhuapl.edu:636
        insecureSkipVerify: false
        userSearch:
          baseDN: cn=users,dc=jhuapl,dc=edu
          filter: "(objectClass=person)"
          username: uid
          idAttr: uid
          emailAttr: mail
          nameAttr: displayName
          preferredUsernameAttr: uid
        groupSearch:
          baseDN: ou=Groups,dc=dom1-proxy,dc=apl-staging
          filter: "(objectClass=group)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn
  frontend:
    theme: ondemand



[root@aplcdhen01 ~]# cat /etc/ood/dex/config.yaml
---
issuer: https://ondemand.jhuapl.edu:5554
storage:
  type: sqlite3
  config:
    file: "/etc/ood/dex/dex.db"
web:
  http: 0.0.0.0:5556
  https: 0.0.0.0:5554
  tlsCert: "/etc/ood/dex/aplcdhen01.jhuapl.edu.pem"
  tlsKey: "/etc/ood/dex/aplcdhen01.jhuapl.edu.key"
telemetry:
  http: 0.0.0.0:5558
staticClients:
- id: localhost
  redirectURIs:
  - https://localhost/oidc
  name: OnDemand
  secret: 334389048b872a533002b34d73f8c29fd09efc50
connectors:
- type: ldap
  id: ldap
  name: LDAP
  config:
    host: aplid.jhuapl.edu:636
    insecureSkipVerify: false
    userSearch:
      baseDN: cn=users,dc=jhuapl,dc=edu
      filter: "(objectClass=person)"
      username: uid
      idAttr: uid
      emailAttr: mail
      nameAttr: displayName
      preferredUsernameAttr: uid
    groupSearch:
      baseDN: ou=Groups,dc=dom1-proxy,dc=apl-staging
      filter: "(objectClass=group)"
      userMatchers:
      - userAttr: DN
        groupAttr: member
      nameAttr: cn
oauth2:
  skipApprovalScreen: true
enablePasswordDB: false
frontend:
  dir: "/usr/share/ondemand-dex/web"
  theme: ondemand

Remove client_id: localhost from your dex configuration in ood_portal.yml as that is used to build the OIDCRedirectURI. The client ID will automatically be populated based on the value you supplied for servername so it’s fine to omit the value. If you want to continue setting client_id then set it to same value as servername. With OnDemand the only thing under dex you must set is connectors. All the other items will be automatically set to appropriate values for you.

Thanks! That worked. Now it looks like there are formatting issues with the page, but I would assume you would want to track that as a separate topic/issue, correct?

If the issue is formatting issues with Dex then I think this thread is fine, otherwise a new thread might be better.

I started another thread, thanks.