Hello,
I’m trying to install OOD on a Rocky Linux-9.4 but having issues making the authentication plugin dex to work with LDAP. I do see the login page when connecting via a browser (with https enabled) but get this error immediately after I click the “Log in to Open OnDemand” button:
Internal Server Error
Login error: failed to connect: LDAP Result Code 200 “Network Error”: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
Here are the packages that were installed from the ondemand repository:
ondemand-release-web-4.0-1.el9.noarch
ondemand-runtime-4.0.3-1.el9.x86_64
ondemand-nodejs-4.0.3-1.el9.x86_64
ondemand-ruby-4.0.3-1.el9.x86_64
ondemand-passenger-6.0.23-1.ood4.0.3.el9.x86_64
ondemand-nginx-1.26.1-1.p6.0.23.ood4.0.3.el9.x86_64
ondemand-apache-4.0.3-1.el9.x86_64
ondemand-gems-4.0.0-1-4.0.0-1.el9.x86_64
ondemand-dex-2.41.1-1.el9.x86_64
ondemand-4.0.0-1.el9.x86_64
Here is my /etc/ood/config/ood_portal.yml (removed commented lines for better readability and replaced our institution domain with mydomain for confidentiality):
---
listen_addr_port: 443
servername: ondemand.mydomain.fr
port: 443
ssl:
- 'SSLCertificateFile "/etc/ssl/certs/star.mydomain.fr.crt"'
- 'SSLCertificateKeyFile "/etc/ssl/certs/star.mydomain.fr.key"'
errorlog: 'error.log'
accesslog: 'access.log'
maintenance_ip_allowlist:
- 172.27.6.5
dex:
ssl: true
http_port: "5556"
https_port: "5554"
tls_cert: /etc/ssl/certs/star.mydomain.fr.crt
tls_key: /etc/ssl/certs/star.mydomain.fr.key
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: directory.rpbs.local:636
insecureSkipVerify: false
rootCA: /etc/openldap/certs/ca_server.pem
bindDN: cn=admin,dc=rpbs,dc=local
bindPW: somepassword
userSearch:
baseDN: ou=people,dc=rpbs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: cn
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=groups,dc=rpbs,dc=local
filter: "(objectClass=groupOfNames)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
I tried playing with dex parameters by adding https_port, tls_cert, tls_key and rootCA even though it seemed unecessary, but the ondemand-dex service is not serving on the 5554 port. Here is the resulting /etc/ood/dex/config.yaml file (the /opt/ood/ood-portal-generator/sbin/update_ood_portal command was launched multiple times):
issuer: https://ondemand.mydomain.fr/dex
storage:
type: sqlite3
config:
file: "/etc/ood/dex/dex.db"
web:
http: localhost:5556
tlsCert: "/etc/ssl/certs/star.mydomain.fr.crt"
tlsKey: "/etc/ssl/certs/star.mydomain.fr.key"
telemetry:
http: 0.0.0.0:5558
staticClients:
- id: ondemand.mydomain.fr
redirectURIs:
- https://ondemand.mydomain.fr/oidc
name: OnDemand
secret: 331703c4-91c2-49fd-9dbf-4b6c5f2f5a0c
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: directory.rpbs.local:636
insecureSkipVerify: false
rootCA: "/etc/openldap/certs/ca_server.pem"
bindDN: cn=admin,dc=rpbs,dc=local
bindPW: somepassword
userSearch:
baseDN: ou=people,dc=rpbs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: cn
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=groups,dc=rpbs,dc=local
filter: "(objectClass=groupOfNames)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
oauth2:
skipApprovalScreen: true
enablePasswordDB: false
frontend:
dir: "/usr/share/ondemand-dex/web"
theme: ondemand
On a side note, the OOD apache server is running behind a reverse proxy. I am not having issues authenticating to our LDAP server with other webservices like owncloud so I don’t really understand what this certificate issue is about. Is it related to the mydomain.fr or rpbs.local ?
Any help would be greatly appreciated.