Argo-cd: DEX ldap connector returns blank groups

Created on 12 Feb 2020 · 6Comments · Source: argoproj/argo-cd

Argocd details:
argocd: v1.3.6+89be1c9
BuildDate: 2019-12-10T22:46:45Z
GitCommit: 89be1c9ce6db0f727c81277c1cfdfb1e385bf248
GitTreeState: clean
GoVersion: go1.12.6
Compiler: gc
Platform: linux/amd64

Dex details:
dex Version: v2.14.0
Go Version: go1.11.3
Go OS/ARCH: linux amd64

Having issues in retrieving the groups information from AD for a logged in User. This is preventing in configuring the RBAC authorization .

Below is the ldap connector content:
connectors:
- type: ldap
id: ldap
name: MicrosoftAD
config:
host: host@AD:389
insecureNoSSL: true
bindDN: bindDN
bindPW: $bindPW
userSearch:
baseDN: baseDN
filter: "(objectClass=person)"
username: SamAccountName
emailAttr: mail
nameAttr: name
idAttr: SamAccountName
groupSearch:
baseDN: basDN
filter: "(objectClass=group)"
userMatchers:
- userAttr: DistinguishedName
groupAttr: Members
nameAttr: cn

I observe the log in of the user goes through but the groups to which the user belongs to are not obtained as shown below is the log obtained from the argocd-dex-server-xxx pod :

time="2020-02-12T03:23:25Z" level=info msg="config issuer: $(ARGOFQDN)/api/dex"
time="2020-02-12T03:23:25Z" level=info msg="config storage: memory"
time="2020-02-12T03:23:25Z" level=info msg="config static client: argo-cd"
time="2020-02-12T03:23:25Z" level=info msg="config static client: argo-cd-cli"
time="2020-02-12T03:23:25Z" level=info msg="config connector: ldap"
time="2020-02-12T03:23:25Z" level=info msg="config skipping approval screen"
time="2020-02-12T03:23:25Z" level=info msg="keys expired, rotating"
time="2020-02-12T03:23:25Z" level=info msg="keys rotated, next rotation: 2020-02-12 09:23:25.352002627 +0000 UTC"
time="2020-02-12T03:23:25Z" level=info msg="listening (http) on 0.0.0.0:5556"
time="2020-02-12T03:23:25Z" level=info msg="listening (grpc) on 0.0.0.0:5557"
time="2020-02-12T03:23:36Z" level=info msg="performing ldap search DC=xxxxxxDC=com,DC=au sub (&(objectClass=person)(SamAccountName=SAMACCOUNT-USERNAME))" connector=MicrosoftAD
time="2020-02-12T03:23:36Z" level=info msg="username \"SAMACCOUNT-USERNAME\" mapped to entry CN=MY-CN-USERNAME,OU=xxxxxx,OU=xxxxxx,DC=xxxxx,DC=com,DC=au" connector=MicrosoftAD
time="2020-02-12T03:23:36Z" level=info msg="login successful: connector \"ldap\", username=\"MY-CN-USERNAME\", email=\"MY-EMAIL-ID\", groups=[]"

Can somebody please point out the error in the configuration or any configuration steps that i have missed.

Source

venkat-kayo

Most helpful comment

I just found the issue. The examples may be bad. By changing the userMatches in the groupSearch section:

groupSearch:
...
  userMatchers:
  - userAttr: DistinguishedName
     groupAttr: Members

to:

groupSearch:
...
  userAttr: DistinguishedName
  groupAttr: Members

Now I was able to see the groups in the logs. Time to configure the RBAC :)

fernandocarletti on 22 Feb 2020

👍6

All 6 comments

After much reading i figured out that the scope for Groups needs to be added separately in the client which i presume happens to be the dex-server pod in Argocd to fetch the groups info from microsoft AD. Would somebody help me with the steps to set that in Argocd.

venkat-kayo on 13 Feb 2020

Same here!

dex logs:

time="2020-02-22T02:08:14Z" level=info msg="performing ldap search ou=Users,ou=mycompany,dc=ds,dc=mycompany,dc=com sub (&(objectClass=person)(sAMAccountName=fcarletti))" connector=LDAP
time="2020-02-22T02:08:14Z" level=info msg="username \"fcarletti\" mapped to entry CN=Fernando Carletti,OU=Users,OU=mycompany,DC=ds,DC=mycompany,DC=com" connector=LDAP
time="2020-02-22T02:08:14Z" level=info msg="login successful: connector \"ldap\", username=\"Fernando Carletti\", email=\"fcarletti\", groups=[]"

argo server logs:

time="2020-02-22T02:08:11Z" level=info msg="Initializing OIDC provider (issuer: https://delivery.mycompany.com/api/dex)"
time="2020-02-22T02:08:11Z" level=info msg="OIDC supported scopes: [openid email groups profile offline_access]"
time="2020-02-22T02:08:11Z" level=info msg="Performing authorization_code flow login: https://delivery.mycompany.com/api/dex/auth?client_id=argo-cd&redirect_uri=https%3A%2F%2Fdelivery.mycompany.com%2Fauth%2Fcallback&response_type=code&scope=openid+profile+email+groups&state=TfvZrAQxqK"
time="2020-02-22T02:08:14Z" level=info msg="Callback: /auth/callback?code=m2tqql...uvnctxhhvf&state=Tfv...xqK"
time="2020-02-22T02:08:14Z" level=info msg="Web login successful. Claims: {\"at_hash\":\"r8yqIcv...OTipQ\",\"aud\":\"argo-cd\",\"email\":\"fcarletti\",\"email_verified\":true,\"exp\":1582423694,\"iat\":1582337294,\"iss\":\"https://delivery.mycompany.com/api/dex\",\"name\":\"Fernando Carletti\",\"sub\":\"CkdDTj1GZXJ...xIEbGRhcA\"}"
time="2020-02-22T02:08:14Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.claims=null grpc.request.content= grpc.service=version.VersionService grpc.start_time="2020-02-22T02:08:14Z" span.kind=server system=grpc
time="2020-02-22T02:08:14Z" level=info msg="ks  version" dir= execID=Mswqu
time="2020-02-22T02:08:14Z" level=info msg="kustomize version" dir= execID=4giu0
time="2020-02-22T02:08:14Z" level=info msg="helm version --client" dir= execID=qWxLk
time="2020-02-22T02:08:14Z" level=info msg="kubectl version --client" dir= execID=bDk1U
time="2020-02-22T02:08:14Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2020-02-22T02:08:14Z" grpc.time_ms=149.18 span.kind=server system=grpc
time="2020-02-22T02:08:55Z" level=info msg="Alloc=18453 TotalAlloc=1057395 Sys=70592 NumGC=132 Goroutines=149"

fernandocarletti on 22 Feb 2020

I just found the issue. The examples may be bad. By changing the userMatches in the groupSearch section:

groupSearch:
...
  userMatchers:
  - userAttr: DistinguishedName
     groupAttr: Members

to:

groupSearch:
...
  userAttr: DistinguishedName
  groupAttr: Members

Now I was able to see the groups in the logs. Time to configure the RBAC :)

fernandocarletti on 22 Feb 2020

👍6

Btw, I found this example here: https://github.com/dexidp/dex/issues/982#issuecomment-314261846

fernandocarletti on 22 Feb 2020

👍1

yes! without userMatchers section does work

vigohe on 22 Feb 2020

👍2 🎉1

Thanks Fernando for patiently going through the content i pasted and suggesting the right solution, this worked perfectly !!

venkat-kayo on 27 Feb 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Cannot connect to Private Gitlab Repo

tomjohnburton · 26Comments

Deploying from a helm repo to ArgoCD in a proxy environment results in timeout as Argo adds the stable repo by default

afanrasool · 26Comments

Add support for secrets in Application parameters

niqdev · 23Comments

StatefulSet with OnDelete Update Strategy stuck progressing

cchanley2003 · 25Comments

Unable to use ssh gitlab connection for on prem gitlab

balchua · 19Comments