I installed OnDemand 2.0.31-1.el8.x86_64 and after some struggle I was able to get it to work as discussed at Problem getting started - #3 by davide-q
Strangely enough, that part worked (means, I got the login page, but I did not try logging in). However it did on port 5554 rather than the 8443 as I specified in my config, but I did not care about the mismatch and moved on.
So I included my LDAP configuration as described at OpenID Connect with Dex — Open OnDemand 2.0.20 documentation
Now using port 5554 is “connection refused” and using 8443 is “internal server error”. I can see from the logs that when I attempt to connect to 8443 it is trying to internally download the
.well-known/openid-configuration and failing. For now my client is firefox running on the server.
[Mon Mar 20 10:26:56.993987 2023] [auth_openidc:error] [pid 3247792:tid 139714036016896] [client 10.10.131.10:31724] oidc_util_http_call: curl_easy_perform() failed on: https://my_url.org:5554/.well-known/openid-configuration (Failed to connect to my_url.org port 5554: Connection refused) [Mon Mar 20 10:26:56.994046 2023] [auth_openidc:error] [pid 3247792:tid 139714036016896] [client 10.10.131.10:31724] oidc_provider_static_config: could not retrieve metadata from url: https://my_url.org:5554/.well-known/openid-configuration
I’ve looked at other similar issues such as
Dex with LDAP giving internal server error (round 2) - #6 by patoddh (the most similar one) and
Internal server error after installing on RHEL8 - #11 by csayre and
Internal Server Error After Fresh Install and
Dex with LDAP giving internal server error
and all point to firewall issues, so I triple checked that (even though it worked without LDAP, so why that should be an issue is beyond me) and here are the results
# firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaces: en1 sources: services: cockpit http https ssh ports: 5554/tcp protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: # grep 5554 /etc/sysconfig/iptables -A INPUT -p tcp -m tcp --dport 5554 -j ACCEPT # grep 5554 /etc/services sgi-esphttp 5554/tcp # SGI ESP HTTP sgi-esphttp 5554/udp # SGI ESP HTTP
If I try to locally wget the
https://my_url.org:5554/.well-known/openid-configuration I get connection refused (obviously since firefox too is running on the server). If I comment all the LDAP part and restart all the services, I can access both the login page (as I said, oddly on port 5554 rather than 8443) and the
ood_portal.yml is simply
listen_addr_port: 8443 servername: my_url.org port: 8443 ssl: - 'SSLCertificateFile "/etc/pki/tls/certs/localhost-ood.crt"' - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost-ood.key"' dex: connectors: - type: ldap id: ldap name: LDAP config: host: whatever.org:389 rootCA: /etc/ssl/certs/ca-bundle.crt bindDN: <edited> bindPW: <edited> userSearch: baseDN: <edited> filter: "<edited>" groupSearch: baseDN: <edited> filter: "<edited>"
EDITED: There is no SELinux running
Thanks a lot in advance!