I updated open ondemand to 1.8. The basic LDAP authentication still works fine.
I am changing basic LDAP authentication to ondemand-dex. I have installed ondemand-dex, and modified /etc/ood/config/ood_portal.yml to dex LDAP configurations based on the following documentation.
I got a “This site can’t be reached” error. How can I debug this problem? Where are the logs?
Thanks a lot!
Hi and welcome!
Check the apache logs at
/var/log/httpd24/error.log. There may also be dex logs in that
/var/log directory as well.
ondemand-dex service running? You need that running in order to log into Dex with LDAP.
ondemand-dex service is running.
systemctl status ondemand-dex
● ondemand-dex.service - OnDemand Dex - A federated OpenID Connect provider packaged for OnDemand
Loaded: loaded (/usr/lib/systemd/system/ondemand-dex.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-08-25 19:26:25 EDT; 9min ago
Main PID: 3228 (ondemand-dex)
└─3228 /usr/sbin/ondemand-dex serve /etc/ood/dex/config.yaml
/var/log/httpd24/error.log is relevant. Cannot find any dex logs under /var/log.
After the error, I did realize that the web address changed to .crc.pitt.edu:5554/auth?response_type=code&scope=openid%20profile%20email&client_id=
Where does the port 5554 come from?
5554 is the default port for Dex - since it is an OpenID Connect identity provider, it must listen on a separate port from Apache
Does this port need to be open?
We only open port 80 and 443. I assume that open ondemand will listen to port 443 and use port 5554 internally.
it seems ondemand-dex is using 5554 externally, which is not reachable by default.
Yes, the port used by Dex needs to be accessible externally as when a user logs in they will get redirected to that port to perform authentication on the login page. If you configure with SSL the port is 5554 and non-SSL is 5556.
I’ve opened a documentation pull request to clarify this extra firewall requirement: https://github.com/OSC/ood-documentation/pull/394