Installing Open OnDemand with LDAP for Authentication

Hello,

I am setting up a test instance of Open OnDemand (version 3.1) on Rocky 9.3. I am able to successfully install Open OnDemand by following the provided instructions.

When I access Open OnDemand via the web browser, I see the message " You have successfully installed Open OnDemand.

However, you now have to configurure authentication for this apache instance. See the authentication documentation for all the options available."

I followed the instructions to configure OnDemand Dex for LDAP. However, Open OnDemand does not seem to recognize the authentication module.

I have the following in /etc/ood/config/ood_portal.yml
auth:

  • ‘AuthType Basic’
  • ‘AuthLDAPURL “ldap://:389”’
  • ‘AuthBasicProvider ldap’
  • ‘Require valid-user’
    connectors:
    - type: ldap
    id: ldap
    name: LDAP
    config:
    host: :389
    insecureSkipVerify: false
    bindDN: cn=admin,dc=organization,dc=com
    bindPW:
    userSearch:
    baseDN: ou=people,dc=organization,dc=com
    filter: “(objectClass=posixAccount)”
    username: uid
    idAttr: uid
    emailAttr: mail
    nameAttr: gecos
    preferredUsernameAttr: uid
    groupSearch:
    baseDN: ou=groups,dc=organization,dc=com
    filter: “(objectClass=posixGroup)”
    userMatchers:
    - userAttr: DN
    groupAttr: member
    nameAttr: cn
    frontend:
    theme: ondemand
    dir: /usr/share/ondemand-dex/web

Is the authentication module configured correctly?

Hello! Is this a direct copy-paste from your ood_portal.yml? I’m noticing that there is not a key for dex before connectors and want to sanity check that.

Thank you @hrandquist . Thanks for catching that. I missed that part when I was copying the snippet in two parts. Before ‘connectors:’, I also have

dex:
ssl: false
http_port: “5556”

Another thing I noticed:

host: :389 ← You’re only including the port, not the full host:port, from Authentication Through LDAP | under the Configuration header:

# Host and optional port of the LDAP server in the form “host:port”.
# If the port is not supplied, it will be guessed based on “insecureNoSSL”,
# and “startTLS” flags. 389 for insecure or StartTLS connections, 636
# otherwise.
host: ldap.example.com:636

Thank you @hrandquist. Good catch. I have the LDAP server’s IP address before the port number.

After installing a self-signed SSL certificate, I am now presented with the login screen. However, after entering my user’s username and password, I received the following error: “Login error: failed to connect: LDAP Result Code 200 “Network Error”: EOF”

To troubleshoot the issue, I reduced connectors to:

connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: <LDAP_Server_IP>:389
insecureSkipVerify: true
userSearch:
baseDN: ou=people,dc=ood,dc=org
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
preferredUsernameAttr: uid

Am I missing a configuration item? Or does the LDAP server require a SSL certificate?

Thank you

Hi Michael,

These are my working settings for LDAP authentication in my org:

auth:
  - "AuthType Basic"
  - "AuthName 'Some Login Title'"
  - "AuthBasicProvider ldap"
  - "AuthLDAPURL 'ldap://<LDAP-SERVER>:389/OU=SOME_OU,DC=SOME_DC?sAMAccountName'"
  - "AuthLDAPGroupAttribute mailNickname"
  - "AuthLDAPGroupAttributeIsDN on"
  - "AuthLDAPBindDN 'DOMAIN\\AD-USER'"
  - "AuthLDAPBindPassword SOMEPASSWORD"
  - "RequestHeader unset Authorization"
  - "Require valid-user"
1 Like