Need help with DEX authentication on Linux

markrlondon · July 5, 2022, 5:43pm

Hi - I’m trying to configure OOD for Ubuntu and DEX authentication. I installed OOD with apache, and going to the web page says that I need to configure authentication. So I installed ondemand-dex and created /etc/ood/config/ood_portal.yml and entered the lines below into that file. I got the ondemand-dex server running without errors, restarted apache, but the OOD web page still says I need to configure authentication. Is there some other magic I need to do? Thanks. - Mark

dex:
connectors:

type: ldap
id: ldap
name: LDAP
config:
host: psfcdc1.psfc.mit.edu:636
insecureSkipVerify: false
bindDN: sAMAccountName=apache,OU=PSFC Users,dc=psfc,dc=mit,dc=edu
bindPW: xxxx
userSearch:
baseDN: OU=PSFC Users,dc=psfc,dc=mit,dc=edu
filter: “(objectClass=person)”
username: sAMAccountName
idAttr: sAMAccountName
emailAttr: mail
nameAttr: name
preferredUsernameAttr: sAMAccountName
groupSearch:
baseDN: OU=Groups,dc=psfc,dc=mit,dc=edu"
filter: “(objectClass=group)”
userMatchers:
userAttr: DN
groupAttr: member
nameAttr: cn

markrlondon · July 6, 2022, 11:45pm

Please ignore this question!

arnoldas500 · September 27, 2022, 5:01pm

Hi how did you get this working? I am facing the same issue, after adding config similar to yours below and running:
sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
sudo systemctl restart apache2.service
sudo systemctl restart apache-htcacheclean.service
sudo systemctl restart ondemand-dex.service

it does not actually update the /etc/apache2/conf-enabled/ood-portal.conf file. Logs only showing user … not found: /pun/sys/dashboard and still using .htpasswd file in /etc/apache

travert · September 27, 2022, 8:25pm

Hey @arnoldas500 sorry to hear you’re still having issues with the ubuntu setup.

Did you use the ansible role to set this up? I recall previously you had used the PXE boot from deepops but wasn’t sure if you went another route now.

arnoldas500 · September 27, 2022, 8:52pm

Hi @travert I ended up deleting everything deepops setup and installing ood from scratch using the new .deb files.

Right now to try and get ldap to work I have tired a few different things but nothing seems to work:
enable ldap logs in /etc/apache2/apache2.conf (no ldap logs other than user … not found: /pun/sys/dashboard)
Loglevel debug ldap_module:debug
Loglevel debug authnz_ldap_module:debug

working ldapsearch for People groups and specific test user:
ldapsearch -x -H ldap://169.226.68.133 -b “ou=Groups,dc=xcitedb,dc=ASRC,dc=ALBANY,dc=EDU”
ldapsearch -x -H ldap://169.226.68.133 -b “ou=People,dc=xcitedb,dc=ASRC,dc=ALBANY,dc=EDU”
ldapsearch -x -H ldap://169.226.68.133 -b “dc=xcitedb,dc=ASRC,dc=ALBANY,dc=EDU” “(uid=xcite)” | less

auth: in /etc/ood/config/ood_portal.yml (commented out lines are what I have tried)

auth:
  - 'AuthType Basic'
  - 'AuthName "test"'
  - 'AuthBasicProvider ldap'
  - 'AuthLDAPUrl "ldap://xcitedb.asrc.albany.edu:389/OU=People,DC=xcitedb,DC=ASRC,DC=ALBANY,DC=EDU?sAMAccountName"'
#  - 'AuthLDAPURL "ldap://xcitedb.asrc.albany.edu:389/OU=People,DC=xcitedb,DC=ASRC,DC=ALBANY,DC=EDU?uid"'
#  - 'AuthLDAPGroupAttribute cn'
#  - 'AuthLDAPGroupAttributeIsDN on'
  - 'Require valid-user'
#  - 'AuthLDAPBindDN "dc=xcitedb,dc=asrc,dc=albany,dc=edu"'
  - 'AuthLDAPBindDN "cn=admin,ou=People,dc=xcitedb,dc=asrc,dc=albany,dc=edu"'
  - 'AuthLDAPBindPassword "****"'

original dex config I tried in /etc/ood/config/ood_portal.yml (commented out right now while testing above)

#dex:
#  connectors:
#    - type: ldap
#      id: ldap
#      name: LDAP
#      config:
#        host: 169.226.68.133
#        insecureSkipVerify: true
#        bindDN: cn=admin,dc=xcitedb,dc=asrc,dc=albany,dc=edu
#        bindPW: *****
#        userSearch:
#          baseDN: ou=People,dc=xcitedb,dc=asrc,dc=albany,dc=edu
#          filter: "(objectClass=posixAccount)"
#          username: uid
#          idAttr: uid
#          emailAttr: mail
#          nameAttr: gecos
#          preferredUsernameAttr: uid
#        groupSearch:
#          baseDN: ou=Groups,dc=xcitedb,dc=asrc,dc=albany,dc=edu
#          filter: "(objectClass=posixGroup)"
#          userMatchers:
#            - userAttr: DN
#              groupAttr: member
#          nameAttr: cn
#  frontend:
#    theme: ondemand
#    dir: /usr/share/ondemand-dex/web

Not sure what to try next or what logs to look at

travert · September 27, 2022, 9:21pm

One thing that jumps out as I read this is the host: 169.226.68.133 has no port associated with it.

Let’s first append the port needed on that ip address, and see if that gets us a step further.

arnoldas500 · September 28, 2022, 3:14pm

I have tried both with the port 389 and without, I also tired the ip address and hostname.

One thing id like to mention is that I am not positive my login page is updating. When I put - ‘AuthName “test”’ I still see the original “Your login information will be sent securely”
Image below

travert · September 28, 2022, 4:23pm

Make sure the port is used, and I’d be sure to use the fully qualified name and not just the hostname as well.

I think it may be best for us to open a discourse just for this build, and work there. It sounds like you are building from source since you used the .deb files and that can lead to some things not working quite right if anything is missed.

Would you be ok opening a new issue to walk through your issues there? If need be, we can even schedule a call to walk through this and get things working.

arnoldas500 · September 28, 2022, 5:00pm

I move all the ood files from sites enabled and conf enabled and made a dummy ldap auth page to test my ldap server and it worked without issues:

<Location "/">
    AuthName "Apache2 LDAP Check"
    AuthType Basic
    AuthBasicProvider ldap
    LDAPReferrals Off
    AuthLDAPUrl ldap://169.226.68.133:389/OU=People,DC=xcitedb,DC=ASRC,DC=ALBANY,DC=EDU?uid?sub?(objectClass=*)
    Require ldap-filter objectClass=posixAccount
    AuthLDAPBindDN "cn=admin,dc=xcitedb,dc=asrc,dc=albany,dc=edu"
    AuthLDAPBindPassword "****"
    #Require ldap-group cn=admin,ou=People,dc=xcitedb,dc=asrc,dc=albany,dc=edu
    # there can be more than one ldap-group required
    #Require ldap-group
    </Location>

After moving ood files back it is not working again. Id like to have the /etc/apache2 conf-enabled and sites-enabled files recreated. Is there any way to do that? After updating /etc/ood/config/ood_portal.yml and running /opt/ood/ood-portal-generator/sbin/update_ood_portal it seems to only be updating sites-enabled but not the conf-enabled files.

I can also open another issue if needed and a call might be the best option.