Installing Open OnDemand with LDAP for Authentication

Hello,

I am setting up a test instance of Open OnDemand (version 3.1) on Rocky 9.3. I am able to successfully install Open OnDemand by following the provided instructions.

When I access Open OnDemand via the web browser, I see the message " You have successfully installed Open OnDemand.

However, you now have to configurure authentication for this apache instance. See the authentication documentation for all the options available."

I followed the instructions to configure OnDemand Dex for LDAP. However, Open OnDemand does not seem to recognize the authentication module.

I have the following in /etc/ood/config/ood_portal.yml
auth:

• ‘AuthType Basic’
• ‘AuthLDAPURL “ldap://:389”’
• ‘AuthBasicProvider ldap’
• ‘Require valid-user’
  connectors:
  - type: ldap
  id: ldap
  name: LDAP
  config:
  host: :389
  insecureSkipVerify: false
  bindDN: cn=admin,dc=organization,dc=com
  bindPW:
  userSearch:
  baseDN: ou=people,dc=organization,dc=com
  filter: “(objectClass=posixAccount)”
  username: uid
  idAttr: uid
  emailAttr: mail
  nameAttr: gecos
  preferredUsernameAttr: uid
  groupSearch:
  baseDN: ou=groups,dc=organization,dc=com
  filter: “(objectClass=posixGroup)”
  userMatchers:
  - userAttr: DN
  groupAttr: member
  nameAttr: cn
  frontend:
  theme: ondemand
  dir: /usr/share/ondemand-dex/web

Is the authentication module configured correctly?

Hello! Is this a direct copy-paste from your ood_portal.yml? I’m noticing that there is not a key for dex before connectors and want to sanity check that.

Thank you @hrandquist . Thanks for catching that. I missed that part when I was copying the snippet in two parts. Before ‘connectors:’, I also have

dex:
ssl: false
http_port: “5556”

Another thing I noticed:

host: :389 ← You’re only including the port, not the full host:port, from Authentication Through LDAP | under the Configuration header:

# Host and optional port of the LDAP server in the form “host:port”.
# If the port is not supplied, it will be guessed based on “insecureNoSSL”,
# and “startTLS” flags. 389 for insecure or StartTLS connections, 636
# otherwise.
host: ldap.example.com:636

Thank you @hrandquist. Good catch. I have the LDAP server’s IP address before the port number.

After installing a self-signed SSL certificate, I am now presented with the login screen. However, after entering my user’s username and password, I received the following error: “Login error: failed to connect: LDAP Result Code 200 “Network Error”: EOF”

To troubleshoot the issue, I reduced connectors to:

connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: <LDAP_Server_IP>:389
insecureSkipVerify: true
userSearch:
baseDN: ou=people,dc=ood,dc=org
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
preferredUsernameAttr: uid

Am I missing a configuration item? Or does the LDAP server require a SSL certificate?

Thank you

Hi Michael,

These are my working settings for LDAP authentication in my org:

auth:
  - "AuthType Basic"
  - "AuthName 'Some Login Title'"
  - "AuthBasicProvider ldap"
  - "AuthLDAPURL 'ldap://<LDAP-SERVER>:389/OU=SOME_OU,DC=SOME_DC?sAMAccountName'"
  - "AuthLDAPGroupAttribute mailNickname"
  - "AuthLDAPGroupAttributeIsDN on"
  - "AuthLDAPBindDN 'DOMAIN\\AD-USER'"
  - "AuthLDAPBindPassword SOMEPASSWORD"
  - "RequestHeader unset Authorization"
  - "Require valid-user"

Thank you all! I successfully set up LDAP authentication for my test environment by including insecureNoSSL: true under dex → connectors → config.