s.park
July 22, 2025, 10:27am
1
Hello,
I got error when I tried to log in to opn ondemand.
ondemand-dex[56084]: time=2025-07-21T10:51:49.631+02:00 level=INFO msg="login successful" connector_id=ldap username="*******" preferred_username=********** email=**********@xxxxxxx groups=[] request_id=063cd930-61ec-48cc-b16a-95c57397e0af
ondemand-dex[56084]: time=2025-07-21T10:51:49.686+02:00 level=ERROR msg="failed to marshal offline session ID" err="string field contains invalid UTF-8" request_id=9cfbfe3c-9bfc-4123-ab07-1835a7657fc2
ondemand-dex[56084]: time=2025-07-21T10:51:49.686+02:00 level=ERROR msg="failed to create new access token" err="failed to marshal offline session ID: string field contains invalid UTF-8" request_id=9cfbfe3c-9bfc-4123-ab07-1835a7657fc2
Anyone has same issue with me?
PARK
Hi and welcome!
I’ve never seen that before. Can you share your configuration? Please obfuscate anything that’s sensitive.
All I found online was this that seems to suggest it’s an issue with the LDAP query.
Hi, we are trying to use DEX as AD Auth for ArgoCD, and we keep getting the following error message: time="2023-09-28T06:54:01Z" level=error msg="failed to marshal offline session ID: string field ...
s.park
July 22, 2025, 1:52pm
3
Thank you for your help. Here is my config.yml for dex, /etc/ood/dex/config.yml
---
issuer: https://ood01.my-site.com:5554
storage:
type: sqlite3
config:
file: "/etc/ood/dex/dex.db"
web:
http: 0.0.0.0:5556
https: 0.0.0.0:5554
tlsCert: "/etc/ood/dex/bundle.pem"
tlsKey: "/etc/ood/dex/wildcard.key"
telemetry:
http: 0.0.0.0:5558
staticClients:
- id: ood01.my-site.com
redirectURIs:
- https://ood01.my-site.com/oidc
name: OnDemand
secret: secret
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldap01.my-site.com
insecureSkipVerify: true
bindDN: CN=svc_bind_linux,OU=users-generiques,DC=my-site,DC=com
bindPW: password
userSearch:
baseDN: DC=my-site,DC=com
filter: "(objectClass=user)"
username: sAMAccountName
idAttr: objectGUID
emailAttr: mail
nameAttr: displayName
preferredUsernameAttr: sAMAccountName
groupSearch:
baseDN: DC=my-site,DC=com
filter: "(objectClass=group)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
oauth2:
skipApprovalScreen: true
enablePasswordDB: false
frontend:
dir: "/usr/share/ondemand-dex/web"
theme: ondemand
As your guide, I followed the link.idAttr parameter from objectGUID to sAMAccountName but failed with this message.
Error -- sudo: PAM account management error: Permission denied
sudo: unable to open audit system: Permission denied
sudo: a password is required
Thank you again.
PARK
It seems you were able to login successfully. So it would seem that you got through the Dex/login errors.
The error you have now appears to be an SELinux error. It seems you have selinux enabled, did you install ondemand-selinux to set the policies?
1 Like
s.park
July 22, 2025, 2:10pm
5
I didn’t install ondemand-selinux yet.
PARK
s.park
July 22, 2025, 2:15pm
6
I installed ondemand-selinux and tried to log in. Then I got this message.
It seems to be come from the nfs home directory is not mounted yet. After mounting nfs filesystem, I will try to log in again.
PARK
s.park
July 22, 2025, 2:23pm
7
After mounting network filesystem for home directory, I could log in to the first screen for my account as below.
Thank you for your help.
s.park
August 1, 2025, 8:40am
8
Hello jeff,
I have one more question for this ticket.
Whenever I update ood configuration with sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal, idAttr automatically is changed from sAMAccountName to objectGUID.
Could you tell me where I could change the default value for the dex config file?
Best regards,
You can supply an entire dex object in the ood_portal.yml to reconfigure this.
Also note that you don’t need to run update_ood_portal anymore. Really just bouncing the systemctl unit httpd or apache2will run the same program for you.
1 Like
s.park
August 11, 2025, 8:43am
10
Thank you, Jeff.
PARK
