:face_palm - you have different FQDN than apps.cluster.edu, so it’s probably being set to it.
Seems like you need to set
client_id: 'apps.cluster.edu'
Sorry for the run around!
I tried that but it didn’t work. It’s saying no changes in the config so I assume something else is commented out somewhere.
What does your /etc/ood/dex/config.yaml look like? Does it have the FQDN or the right name.
Also just be sure you’re bouncing ondemand-dex in between changes.
I was not restarting the ondemand-dex service.
Cool, so everything’s working now?
Sadly no. I enabled SSL. The certificates are working. However I’m back to getting the Internal Server Error message. I don’t see any errors in the httpd log files.
If you’re getting a 500, there’s a log somewhere. Be sure to check error.log as well as <hostname>_error.log.
Alright. That provides some insight. It seems like oidc is not running.
oidc_util_http_call: curl_easy_perform() failed on: https://apps.cluster.edu:5554/.well-known/openid-configuration (Failed connect to apps.cluster.edu:5554; Connection refused)
There are 2 ports, one for http and one for https. We should directly just enable https if you’ve configured OOD to do so. As you can tell the dex configs take a lot from the OOD configs. so if you configure OOD to use SSL then we’ll try to setup Dex for the same.
But yes, it seems that dex is only using the plain text port or it didn’t start up at all. You should be able to see logs from systemctl status ondemand-dex.
Ok. I’ve fixed that issue. Now I just need to get our LDAP authentication working. I tried changing the authentication to use PAM since we have the IPA client installed on this machine for authentication. It seems like it’s still using OIDC.
That either comes from your auth lines in ood_portal.yml OR it’s automatically generated because we found ondemand-dex was installed. So you may have to remove ondemand-dex.
That said - we moved to dex because PAM authentication in Apache is very insecure, so you should be aware of that. Indeed we’re pulling our PAM docs for the same reason. So I would not suggest this route.
Jeff,
Thanks for the info. I’ll use Dex then. For some reason, the connector configuration is not being copied into the Dex configuration file. I’ve regenerated the files and restarted the Dex service but it doesn’t seem to do anything.
update_ood_portal should modify both the dex/config.yml and httpd/ood-portal.conf.
Maybe set some random settings just to verify they get replaced? Be sure you’re sudo as well, otherwise you won’t be able to write files.
Lastly you can remove this file /etc/ood/config/ood_portal.sha256sum to force a re-write.
I tried all of the solutions you requested. Sadly none of them worked. I presume I have a formatting issue. Below is the Dex section of ood_config.yml
# Dex configurations, values inside the "dex" structure are directly used to configure Dex
# If the value for "dex" key is false or null, Dex support is disabled
# Dex support will auto-enable if ondemand-dex package is installed
dex:
# Default based on if ssl key for ood-portal-generator is defined
# ssl: true
# Only used if SSL is disabled
# http_port: "5556"
# Only used if SSL is enabled
# https_port: "5554"
# tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names
# tls_cert: null
# tls_key: null
# storage_file: /etc/ood/dex/dex.db
# grpc: null
# expiry: null
# Client ID, defaults to servername or FQDN
# client_id: 'apps.talon.und.edu'
# client_name: Test OnDemand
# Client secret, value auto generated
# A value that is a filesystem path can be used to store secret in a file
# client_secret: /etc/ood/dex/ondemand.secret
# The OnDemand redirectURI is auto-generated, this option allows adding additional URIs
# client_redirect_uris: []
# Additional Dex OIDC clients to configure
# static_clients: []
# The following example is to configure OpenLDAP
# Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldap.cluster.edu:636
insecureSkipVerify: false
bindDN:
bindPW:
userSearch:
baseDN: cn=users,cn=accounts,dc=ldap,dc=cluster,dc=edu
filter: "(objectClass=posixAccount)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: cn=cluster_users,cn=groups,cn=accounts,dc=ldap,dc=cluster,dc=edu
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
frontend:
theme: ondemand
dir: /usr/share/ondemand-dex/web
Hi! Any updates on this? I am having a very similar problem where I cannot make ondemand to work after following the instructions. The comments made here did not help either. I am running this on a centos 7 VM, with LDAP already enabled, and will like to use ldap with dex as well. Here are the YML’s lines that are set:
---
listen_addr_port: 443
servername: sandstone.sharcnet.ca
port: 443
ssl:
- 'SSLCertificateFile "/etc/letsencrypt/live/sandstone.sharcnet.ca/fullchain.pem"'
- 'SSLCertificateKeyFile "/etc/letsencrypt/live/sandstone.sharcnet.ca/privkey.pem"'
- 'SSLCertificateChainFile "/etc/letsencrypt/live/sandstone.sharcnet.ca/chain.pem"'
security_strict_transport: true
lua_root: '/opt/ood/mod_ood_proxy/lib'
lua_log_level: 'info'
user_map_match: '.*'
Default: null (use user_map_match)
public_root: '/var/www/ood/public'
oidc_client_id: sandstone.sharcnet.ca
oidc_state_max_number_of_cookies: "10 true"
oidc_cookie_same_site: 'On'
dex:
ssl: true
https_port: "5554"
client_id: sandstone.sharcnet.ca
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldaps://ga-east.ldap.computecanada.ca
insecureSkipVerify: false
bindDN: cn=admin,dc=computecanada,dc=ca
bindPW: admin
userSearch:
baseDN: ou=People,dc=computecanada,dc=ca
filter: "(&(shadowExpire=-1)(objectClass=posixAccount))"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=Groups,dc=computecanada,dc=ca
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
After regenerating the conf with update_ood_portal and restarting both httpd24 and ondemand-dex the httpd24 error log states:
[Mon Mar 07 19:13:20.878159 2022] [auth_openidc:error] [pid 4920] [client 142.113.103.249:34288] oidc_provider_static_config: could not retrieve metadata from url: http://webportal.novalocal:5556/.well-known/openid-configuration
Is my issue similar to that of Brad Traver? or should I open a new trhead?
I don’t like this line here. Remove that and these two lines below and see what you come back with. Happy to support in this thread.
ssl: true
https_port: "5554"
You can confirm the settings are correct by spot checking your /etc/httpd-httpd24/conf.d/ood-portal.conf file for the URL. Somehow you’re trying to connect to the plain port instead of https.
@brad.traver formatting issue could be likely. Remove all those commented lines to check. Maybe open it in an IDE to see if it collapses the way you’d expect.
These are the output files of these update_ood_portal
/etc/ood/dex/config.yml & /etc/httpd-httpd24/conf.d/ood-portal.conf
Did not help. Exact the same error in the logs, and it still gives me the Internal Server Error. That being said, /etc/httpd-httpd24/conf.d/ood-portal.conf is not being generated. Does that might exist in another folder?
UPDATE: Found it in /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
ood-portal.conf.txt (5.9 KB)
I do not see anything egregious, do you?
Sorry 5554 is the correct SSL port. Is ondemand-dex running? Can you curl localhost:5554?
Jeff,
I removed all the commented lines in the dex section and regenerated the files. The dex config file hasn’t changed though.
The curl comes back with Client sent an HTTP request to an HTTPS server.