How to configure OnDemand Dex for LDAP

fangpingmu · August 25, 2020, 6:28pm

I updated open ondemand to 1.8. The basic LDAP authentication still works fine.

I am changing basic LDAP authentication to ondemand-dex. I have installed ondemand-dex, and modified /etc/ood/config/ood_portal.yml to dex LDAP configurations based on the following documentation.

https://osc.github.io/ood-documentation/latest/authentication/dex.html#authentication-dex

I got a “This site can’t be reached” error. How can I debug this problem? Where are the logs?

Thanks a lot!

jeff.ohrstrom · August 25, 2020, 6:29pm

Hi and welcome!

Check the apache logs at /var/log/httpd24/error.log. There may also be dex logs in that /var/log directory as well.

tdockendorf · August 25, 2020, 8:56pm

Is the ondemand-dex service running? You need that running in order to log into Dex with LDAP.

fangpingmu · August 25, 2020, 11:41pm

ondemand-dex service is running.

systemctl status ondemand-dex
● ondemand-dex.service - OnDemand Dex - A federated OpenID Connect provider packaged for OnDemand
Loaded: loaded (/usr/lib/systemd/system/ondemand-dex.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-08-25 19:26:25 EDT; 9min ago
Main PID: 3228 (ondemand-dex)
CGroup: /system.slice/ondemand-dex.service
└─3228 /usr/sbin/ondemand-dex serve /etc/ood/dex/config.yaml

Nothing in /var/log/httpd24/error.log is relevant. Cannot find any dex logs under /var/log.

After the error, I did realize that the web address changed to .crc.pitt.edu:5554/auth?response_type=code&scope=openid%20profile%20email&client_id=

Where does the port 5554 come from?

efranz · August 26, 2020, 1:30am

5554 is the default port for Dex - since it is an OpenID Connect identity provider, it must listen on a separate port from Apache

fangpingmu · August 26, 2020, 1:43am

Does this port need to be open?

We only open port 80 and 443. I assume that open ondemand will listen to port 443 and use port 5554 internally.

it seems ondemand-dex is using 5554 externally, which is not reachable by default.

tdockendorf · August 26, 2020, 11:18am

Yes, the port used by Dex needs to be accessible externally as when a user logs in they will get redirected to that port to perform authentication on the login page. If you configure with SSL the port is 5554 and non-SSL is 5556.

tdockendorf · August 26, 2020, 11:37am

I’ve opened a documentation pull request to clarify this extra firewall requirement: https://github.com/OSC/ood-documentation/pull/394

Topic		Replies	Views
LDAP login attempt logs? Get Help	14	1038	May 26, 2022
Dex with LDAP giving internal server error Get Help	8	1887	September 17, 2022
Need help with DEX authentication on Linux Get Help	9	715	March 27, 2023
Installing Open OnDemand with LDAP for Authentication Get Help	7	432	December 16, 2024
Latest ondemand-dex (2.36.0-1.el7.x86_64) might break LDAP authentication Get Help	3	333	January 1, 2024

How to configure OnDemand Dex for LDAP

Related topics