Latest ondemand-dex (2.36.0-1.el7.x86_64) might break LDAP authentication

Hi all,
During a deployment of a new version for an app in our development OOD instance authentication stopped working. After rewviewing the ansible log I noticed that ondemand-dex package was updated and after that authentication fails with:

Internal Server Error
Login error: failed to connect: LDAP Result Code 200 "Network Error": tls: server selected unsupported protocol version 301

If I downgrade the version to the previous ondemand-dex authentication works again.

The version that no longer works is ondemand-dex-2.36.0-1.el7.x86_64 and the previous working version we have is ondemand-dex-2.32.0-1.el7.x86_64

For now I just rolled back the version and will look at it again next week, but wanted to mention this here just in case it can help someone or somehow a bug or breaking change got by in the new release.

PS: For now I have also modified the code in the ansible role and will send a PR next week for the problematic line:

Best regards,
Iñaki

Some update on this:

We are using a rather old ldap server that has not enabled TLSv1.2 and is for now only using TLSv1.0, this was fine on the old ondemand-dex-2.32.0 package that used go 1.17.10, however the new ondemand-dex-2.36.0 uses go 1.19.2 and starting 1.18 TLSv1.0 and TLSv1.1 are disabled by default

This is mostly on us for running a very old LDAP setup in dire need of an update but it would be good to add a note maybe in the changelog for ondemand-dex as to mention this deprecation?

@jeff.ohrstrom would it be an issue to stay (for now) on 2.32.0 for ondemand-dex even if we update to the v3 branch of OnDemand? So far is working in the devel instance so I’m guessing yes, but as we have not yet migrated to v3 in production I rather ask.

Thanks!

I suspect it’s OK because it’s sort of out of bounds update from OnDemand. And besides it’s still going to conform to OIDC standards, so the real question is of compatibility between your mod_auth_oidc (the apache OIDC plugin) and dex, which I assume will be just fine.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.