Setting Up - ldap [Empty password reported]

Hi All,

Installing OOD with Dex and am missing something at this stage as I get the login screen but /var/log/messages complains that I am sending an empty passwd.

Note: I have set the bindPW below, it has no special characters to escape and also tried switching to using a working certificate and re-run the update script and restarted dex.

Any help welcom. So close.

Here is the error from login screen:
"

Internal Server Error

Login error: ldap: initial bind for user “CN=svcMK4WebLDAPBind,OU=Service,OU=Accounts,OU=MYWORKPLACE,DC=mcri,DC=edu,DC=au” failed: LDAP Result Code 206 “Empty password not allowed by the client": ldap: empty password not allowed by the client”

from /var/log/messages:
Jan 11 13:22:50 login001 ondemand-dex[598867]: time=“2025-01-11T02:22:50Z” level=error msg=“Failed to login user: ldap: initial bind for user "CN=svcMK4WebLDAPBind,OU=Service,OU=Accounts,OU=MYWORKPLACE,DC=myworkplace,DC=edu,DC=au" failed: LDAP Result Code 206 "Empty password not allowed by the client": ldap: empty password not allowed by the client”

Here is my "/etc/ood/config/ood_portal.yml file and Dex stuff. No other setting as I read it defaults to auth: opened…???

servername: ‘research-cluster.myworkplace.edu.au’
port: ‘443’
client_secret: blahblah from Dex dir
ssl:

• ‘SSLCertificateFile /etc/httpd/ssl/myworkplace/myworkplace.edu.au.cer’
• ‘SSLCertificateKeyFile /etc/httpd/ssl/myworkplace/myworkplace.edu.au.nopass.key’
• ‘SSLCertificateChainFile /etc/httpd/ssl/myworkplace/CACertificate.chain.cer’

dex:
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: myldapserverv.myworkplace.edu.au:636
#tlsConfig:caCert: “/etc/ssl/certs/ldap-ca.crt”
insecureSkipVerify: false
bindDN: CN= ,OU=Service,OU=Accounts,OU=MYWORKPLACE,DC=mcri,DC=edu,DC=au
userSearch:
baseDN: OU=USERS,OU=HEADQUARTERS,DC=myworkplace,DC=edu,DC=au
bindPW: <my_svcMK4WebLDAPBindPW>
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: OU=Groups,OU=MYWORKPLACE,DC=mcri,DC=edu,DC=au
filter: “(objectClass=posixGroup)”
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
frontend:
theme: ondemand
dir: /usr/share/ondemand-dex/web

Can you confirm the bind password has made it to the dex configuration in /ood/dex/config.yml?

Hi Jeff,

Yep the password made it. Is there ac command line thing I can do to execute the Dex part only as a test?

File: /etc/ood/dex/config.yaml
[root@login001 dex]# ls -l
total 188
-rw-------. 1 ondemand-dex ondemand-dex 1145 Jan 11 14:47 config.yaml

issuer: https://login001.myworkplace.edu.au/dex
storage:
type: sqlite3
config:
file: “/etc/ood/dex/dex.db”
web:
http: localhost:5556
telemetry:
http: 0.0.0.0:5558
staticClients:

• id: login001.myworkplace.edu.au
  redirectURIs:
  • https://login001.myworkplace.edu.au/oidc
    name: OnDemand
    secret: DEX Secret
    connectors:
• type: ldap
  id: ldap
  name: LDAP
  config:
  host: pkmpadsdc02v.myworkplace.edu.au:636
  insecureSkipVerify: false
  bindDN: CN=MYBINDACCOUNT,OU=Service,OU=Accounts,OU=MYWORKPLACE,DC=myworkplace,DC=edu,DC=au
  userSearch:
  baseDN: OU=USERS,OU=HEADQUARTERS,DC=myworkplace,DC=edu,DC=au
  bindPW:" I can confirm password was here"
  filter: “(objectClass=posixAccount)”
  .

.
.
stuff deleted by me

Does your password have a $ in it? I’m finding that they’re expanding environment variables. Apparently DEX_EXPAND_ENV=0 will stop this, but I can’t tell what release that’s in.

The password is just letters and no symbols, etc. We had ruled that out.

Hi Jeff, I’m in AU and unfortunately(fortunately actually) OOD is on the critical path for our project. Is there any chance I could setup a teams meet and walk through this with you? I’m happy to be up when it is daytime hours for you. I’m hoping it is something silly that I have done and a second set of eyes would see it. Thx.

Sure, drop me a line at johrstrom@osc.edu.

Hi Jeff and all, I have gotten past this issue but onto the next.

resolution of the above issue seems to have need I had bindPW under user search rather than in the section under bindDN.

next issue I suspect may be user map issues.
I have tried two different users names. i.e.
“fred”
“will.robinson”

both return the same error: i.e for “will.robinson”

Jan 28 18:04:03 loginServer ondemand-dex[2106391]: time=“2025-01-28T07:04:03Z” level=error msg=“ldap: no results returned for filter: "(&(objectClass=posixAccount)(uid=will.robinson))"”

Any thoughts?