Dex with LDAP giving internal server error

I’ve installed ondemand-2.0.20-1 and ondemand-dex-2.27.0-2 and have the dex section of /etc/ood/config/ood_portal.yml like this:

dex:
# # Default based on if ssl key for ood-portal-generator is defined
  ssl: true
# # Only used if SSL is disabled
#  http_port: "5556"
# # Only used if SSL is enabled
  https_port: "5554"
# # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
  tls_cert: null
  tls_key: null
  storage_file: /etc/ood/dex/dex.db
  grpc: null
  expiry: null
# # Client ID, defaults to servername or FQDN
  client_id: null
  client_name: OnDemand
# # Client secret, value auto generated
# # A value that is a filesystem path can be used to store secret in a file
  client_secret: /etc/ood/dex/ondemand.secret
# # The OnDemand redirectURI is auto-generated, this option allows adding additional URIs
  client_redirect_uris: []
# # Additional Dex OIDC clients to configure
#  static_clients: []
# # The following example is to configure OpenLDAP
# # Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md
  connectors:
     - type: ldap
       id: ldap
       name: LDAP
       config:
         host: it-hs-dc03.cshl.edu:636
         insecureSkipVerify: false
         bindDN: "CN=ldap authentication,OU=Service Accounts,OU=ITStaff,OU=Departments,OU=CSHLusers,DC=cshl,DC=edu"
         bindPW: OMITTED
         userSearch:
           baseDN: OU=CSHLusers,DC=cshl,DC=edu
           filter: "(objectClass=posixAccount)"
           username: uid
           idAttr: uid
           emailAttr: mail
           nameAttr: gecos
           preferredUsernameAttr: uid
         groupSearch:
           baseDN: OU=CSHLgroups,DC=cshl,DC=edu
           filter: "(objectClass=posixGroup)"
           userMatchers:
             - userAttr: DN
               groupAttr: member
           nameAttr: cn

I am getting an internal server error with the following in the log:

[Fri Mar 18 16:55:50.259555 2022] [auth_openidc:error] [pid 200603:tid 140224977958656] [client 143.48.116.14:52638] oidc_check_userid_openidc: configuration error: the authentication type is set to "openid-connect" but OIDCRedirectURI has not been set

Suggestions and help welcome!

Thanks

Hi and welcome!

I’d comment these 2 out and see what the behavior is.

  # client_id: null
  # client_redirect_uris: []

Thanks for the quick reply. Made that change and got a new error:

[Fri Mar 18 17:36:47.266770 2022] [auth_openidc:error] [pid 201049:tid 140697458108160] [client 143.48.116.14:53300] oidc_util_http_call: curl_easy_perform() failed on: https://lightshare.cshl.edu:5554/.well-known/openid-configuration (SSL certificate problem: unable to get local issuer certificate)
[Fri Mar 18 17:36:47.266822 2022] [auth_openidc:error] [pid 201049:tid 140697458108160] [client 143.48.116.14:53300] oidc_provider_static_config: could not retrieve metadata from url: https://lightshare.cshl.edu:5554/.well-known/openid-configuration
https://lightshare.cshl.edu:5554/.well-known/openid-configuration

hi, try to curl locally this URL to see if ssl-related stuff is going well.

1 Like

You probably need to add the CA to the trust store like in this topic.

Thanks for the help. So we had to change SSLCertificateFile with the cert concatenated with the chain certs, instead of (in addition to?) using SSLCertificateChainFile. That brought up the login page, but after entering username/pw, the next error :slightly_smiling_face: is

Login error: failed to connect: LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority

On the web page itself

do you have your CA in ldap connector specified? like

...
  connectors:
  - type: ldap
    id: ldap
    name: LDAP
    config:
      host: yourLDAPserver
      rootCA: /etc/ssl/certs/yourCAcert.pem
...

There was no rootCA line. Got it working now, thanks for the help!

1 Like