Internal server error with LDAP

Get Help
1

I installed OnDemand 2.0.31-1.el8.x86_64 and after some struggle I was able to get it to work as discussed at Problem getting started - #3 by davide-q
Strangely enough, that part worked (means, I got the login page, but I did not try logging in). However it did on port 5554 rather than the 8443 as I specified in my config, but I did not care about the mismatch and moved on.

So I included my LDAP configuration as described at OpenID Connect with Dex — Open OnDemand 2.0.20 documentation

Now using port 5554 is “connection refused” and using 8443 is “internal server error”. I can see from the logs that when I attempt to connect to 8443 it is trying to internally download the .well-known/openid-configuration and failing. For now my client is firefox running on the server.

[Mon Mar 20 10:26:56.993987 2023] [auth_openidc:error] [pid 3247792:tid 139714036016896] [client 10.10.131.10:31724] oidc_util_http_call: curl_easy_perform() failed on: https://my_url.org:5554/.well-known/openid-configuration (Failed to connect to my_url.org port 5554: Connection refused)
[Mon Mar 20 10:26:56.994046 2023] [auth_openidc:error] [pid 3247792:tid 139714036016896] [client 10.10.131.10:31724] oidc_provider_static_config: could not retrieve metadata from url: https://my_url.org:5554/.well-known/openid-configuration

I’ve looked at other similar issues such as
Dex with LDAP giving internal server error (round 2) - #6 by patoddh (the most similar one) and
Internal server error after installing on RHEL8 - #11 by csayre and
Internal Server Error After Fresh Install and
Dex with LDAP giving internal server error
and all point to firewall issues, so I triple checked that (even though it worked without LDAP, so why that should be an issue is beyond me) and here are the results

# firewall-cmd --list-all  --zone=external
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: en1
  sources:
  services: cockpit http https ssh
  ports: 5554/tcp
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# grep 5554 /etc/sysconfig/iptables
-A INPUT -p tcp -m tcp --dport 5554 -j ACCEPT

# grep 5554 /etc/services
sgi-esphttp     5554/tcp                # SGI ESP HTTP
sgi-esphttp     5554/udp                # SGI ESP HTTP

If I try to locally wget the https://my_url.org:5554/.well-known/openid-configuration I get connection refused (obviously since firefox too is running on the server). If I comment all the LDAP part and restart all the services, I can access both the login page (as I said, oddly on port 5554 rather than 8443) and the https://my_url.org:5554/.well-known/openid-configuration

My ood_portal.yml is simply

listen_addr_port: 8443
servername: my_url.org
port: 8443
ssl:
 - 'SSLCertificateFile "/etc/pki/tls/certs/localhost-ood.crt"'
 - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost-ood.key"'
dex:
  connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: whatever.org:389
        rootCA: /etc/ssl/certs/ca-bundle.crt
        bindDN: <edited>
        bindPW: <edited>
        userSearch:
          baseDN: <edited>
          filter: "<edited>"
        groupSearch:
          baseDN: <edited>
          filter: "<edited>"

EDITED: There is no SELinux running

Thanks a lot in advance!

2

Hi Davide.

Thanks for your post. Sorry for the late response. I have an instance of ondemand running with ldap authentication. I’ll take a look tomorrow morning and see what I can find for you.

Thanks,
-gerald

1 Like
3

Hi Davide.

May I see the <VirtualHost *:> in /etc/httpd/conf.d/ood-portal.conf please?

Mine begins as so.

Listen 9080


# The Open OnDemand portal VirtualHost
#
<VirtualHost *:9080>
  ServerName ood

  ErrorLog  "logs/ood_error.log"
  CustomLog "logs/ood_access.log" combined
4

Hi Gerald,

That file is autogenerated by the /opt/ood/ood-portal-generator/sbin/update_ood_portal from the /etc/ood/config/ood_portal.yml source which I posted above. In fact the latter does not have any VirtualHost section

~ $ grep -i virtual /etc/ood/config/ood_portal.yml
# The server name used for name-based Virtual Host
# Default: null (don't use name-based Virtual Host)
# The port specification for the Virtual Host

I have not changed the /etc/httpd/conf.d/ood-portal.conf from its autogenerated status. Anyway, I am sending you the file separately, perhaps the parts that I’ve edited following the security policies of my place matter for this problem.

Thanks a lot for your assistance and understanding!

5

Thanks Davide.

I will try to spend some time today. I have a packed plate today, but will try to find some time. If not, I will look some more tomorrow.

Thanks,
-gerald

1 Like
6

Did you have a chance to take a look at this? TIA!

7

What happens when you add the following to the ood_portal.yml file and restart:

dex:
…
  https_port: "5554"
…
8

Thanks @travert for the suggestion. I’d be shocked if there was any change, since that line is (commented out) as being the default, but I tried.

Running update_ood_portal reported

No change in Apache config.
No change in the Dex config.
Completed successfully!

but restarting httpd and dex anyway and trying to access the system resulted in the same identical error.

Thanks!

9

Alright, so I’ve been able to figure this out.

The systemctl status reported Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": Connection reset by peer

Changing various things in the LDAP configuration under guidance from
https://dexidp.io/docs/connectors/ldap/#example-mapping-a-schema-to-a-search-config

I am now able to authenticate in LDAP as confirmed by the systemctl status logs, however /var/log/httpd/URL_error_ssl.log indicate a different problem. Since that is not an “Internal server error” I will open a separate thread about it if I remain stuck

10

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.