How to configure OnDemand Dex for LDAP

I updated open ondemand to 1.8. The basic LDAP authentication still works fine.

I am changing basic LDAP authentication to ondemand-dex. I have installed ondemand-dex, and modified /etc/ood/config/ood_portal.yml to dex LDAP configurations based on the following documentation.

https://osc.github.io/ood-documentation/latest/authentication/dex.html#authentication-dex

I got a “This site can’t be reached” error. How can I debug this problem? Where are the logs?

Thanks a lot!

Hi and welcome!

Check the apache logs at /var/log/httpd24/error.log. There may also be dex logs in that /var/log directory as well.

Is the ondemand-dex service running? You need that running in order to log into Dex with LDAP.

ondemand-dex service is running.

systemctl status ondemand-dex
● ondemand-dex.service - OnDemand Dex - A federated OpenID Connect provider packaged for OnDemand
Loaded: loaded (/usr/lib/systemd/system/ondemand-dex.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-08-25 19:26:25 EDT; 9min ago
Main PID: 3228 (ondemand-dex)
CGroup: /system.slice/ondemand-dex.service
└─3228 /usr/sbin/ondemand-dex serve /etc/ood/dex/config.yaml

Nothing in /var/log/httpd24/error.log is relevant. Cannot find any dex logs under /var/log.

After the error, I did realize that the web address changed to .crc.pitt.edu:5554/auth?response_type=code&scope=openid%20profile%20email&client_id=

Where does the port 5554 come from?

5554 is the default port for Dex - since it is an OpenID Connect identity provider, it must listen on a separate port from Apache

Does this port need to be open?

We only open port 80 and 443. I assume that open ondemand will listen to port 443 and use port 5554 internally.

it seems ondemand-dex is using 5554 externally, which is not reachable by default.

Yes, the port used by Dex needs to be accessible externally as when a user logs in they will get redirected to that port to perform authentication on the login page. If you configure with SSL the port is 5554 and non-SSL is 5556.

I’ve opened a documentation pull request to clarify this extra firewall requirement: https://github.com/OSC/ood-documentation/pull/394