Hi i'm trying to use dex for k8s authn/authz.
I use LDAP connector with bleow image and configuration.
below is docker image I use
image: quay.io/coreos/dex:v2.0.0-beta.1
below is my ldap connector configuration
- type: ldap
id: ldap
config:
host: openldap.kube-system.svc.cluster.io:389
insecureNoSSL: true
bindDN: cn=admin,dc=local,dc=io
bindPW: admin
userSearch:
baseDN: ou=users,dc=local,dc=io
filter: "(objectClass=posixAccount)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: uid
groupSearch:
baseDN: ou=groups,dc=example,dc=com
filter: "(objectClass=posixGroup)"
userAttr: uid
groupAttr: memberUid
nameAttr: cn
from above
I can get token using the example-app
but the claim doesnt have any group information
Claims:
{
"iss": "https://kube-1.local.io:30443",
"sub": "keyolk",
"aud": "example-app",
"exp": 1481884152,
"iat": 1481797752,
"email": "[email protected]",
"email_verified": false,
"name": "keyolk"
}
I can get the entry from ldap client.
# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3
version: 1
# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct
Does anyone can inform me what I have to check more ?
I saw below, but cant understand...
https://github.com/coreos/dex/issues/536
or is it related to examle-app ?
below is logs from example-app
{
"issuer": "https://kube-1.local.io:30443",
"authorization_endpoint": "https://kube-1.local.io:30443/auth",
"token_endpoint": "https://kube-1.local.io:30443/token",
"jwks_uri": "https://kube-1.local.io:30443/keys",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"groups",
"profile",
"offline_access"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"iat",
"iss",
"locale",
"name",
"sub"
]
}
I think you're missing the extra "groups" scope.
@ericchiang Thanks reply,
but what does it mean "missing the extra "groups" scope."
to where ?
I can get a group which matching with given uid
# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3
version: 1
# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct
OAuth2 scopes https://tools.ietf.org/html/rfc6749#section-4.1.1
The examples app as an "additional scopes" field you can type "groups" into.
@ericchiang
Oh, I see
seems I have to add additional filed to my static client.
Thanks alot
I'll close this after checking furthers.
seems I have to add additional filed to my static client.
Can you expand on that?
Ideally we'd like to turn this into a doc requirement. E.g. "document accepted scope" or "example app needs better documentation"
@ericchiang
Well... sadly not done yet.
I cant find how I can set scope to example-app : (
Could you inform me something more ?
and how I can enable debug logs on dex server ?
here my dex configs
kind: ConfigMap
apiVersion: v1
metadata:
name: dex
namespace: kube-system
data:
config.yaml: |
issuer: https://kube-1.local.io:30443
storage:
type: kubernetes
config:
inCluster: true
web:
https: 0.0.0.0:443
tlsCert: /etc/dex/tls/tls.crt
tlsKey: /etc/dex/tls/tls.key
connectors:
- type: oidc
id: google
name: Google
config:
issuer: https://accounts.google.com
clientID: $GOOGLE_CLIENT_ID
clientSecret: $GOOGLE_CLIENT_SECRET
redirectURI: https://kube-1.local.io:30443/callback
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://kube-1.local.io:30443/callback
- type: ldap
id: ldap
config:
host: openldap.kube-system.svc.cluster.io:389
insecureNoSSL: true
bindDN: cn=admin,dc=local,dc=io
bindPW: admin
userSearch:
baseDN: ou=users,dc=local,dc=io
filter: "(objectClass=posixAccount)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: uid
groupSearch:
baseDN: ou=groups,dc=example,dc=com
filter: "(objectClass=posixGroup)"
userAttr: uid
groupAttr: memberUid
nameAttr: cn
oauth2:
skipApprovalScreen: true
staticClients:
- id: example-app
redirectURIs:
- 'http://kube-1.local.io:30080/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
enablePasswordDB: true
staticPasswords:
- email: "[email protected]"
and here my logs from example-app
2016/12/15 19:44:52 GET /.well-known/openid-configuration HTTP/1.1 [23/84]
Host: kube-1.local.io:30443
2016/12/15 19:44:52 HTTP/1.1 200 OK
Content-Length: 709
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:44:52 GMT
{
"issuer": "https://kube-1.local.io:30443",
"authorization_endpoint": "https://kube-1.local.io:30443/auth",
"token_endpoint": "https://kube-1.local.io:30443/token",
"jwks_uri": "https://kube-1.local.io:30443/keys",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"groups",
"profile",
"offline_access"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"iat",
"iss",
"locale",
"name",
"sub"
]
}
2016/12/15 19:44:52 listening on http://0.0.0.0:80
2016/12/15 19:47:00 POST /token HTTP/1.1
Host: kube-1.local.io:30443
Authorization: Basic ZXhhbXBsZS1hcHA6WlhoaGJYQnNaUzFoY0hBdGMyVmpjbVYw
Content-Type: application/x-www-form-urlencoded
client_id=example-app&code=mut4jfuzrztpbv4r23p2tnufb4&grant_type=authorization_code&redirect_uri=http%3A%2F%2Fkube-1.local.io%3A30080%2Fcall
back
2016/12/15 19:47:00 HTTP/1.1 200 OK
Content-Length: 806
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:47:00 GMT
{"access_token":"xmroqflaz72apjsjxea2adreoq","token_type":"bearer","expires_in":86399,"refresh_token":"5pi3my6n3cxnzxwqght76ovcvm","id_token
":"eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0ZWMxMGE1NGVhNmFhMGZlMTQ0NWMwMmViYjA1ODVhYjgwMDViNzcifQ.eyJpc3MiOiJodHRwczovL2t1YmUtMS5sb2NhbC5pbzozMDQ0My
IsInN1YiI6ImtleW9sayIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNDgxOTE3NjIwLCJpYXQiOjE0ODE4MzEyMjAsImVtYWlsIjoia2V5b2xrQGdtYWlsLmNvbSIsImVtYWlsX3
ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoia2V5b2xrIn0.JOoGs1c9ewp3eNq1Fy_Mvtzp6ytQoYOXVFVC5NhOsLUKmK1DEqrl5iI8C4SZPOHIJQDyJJIYS_VvWiF8otywG60gp5YwFCYblN
p2t6wxgrD2QevsBIsmIZssJLKAF-4wj9L2pLb4Yg4U_7oiD-jqPdk-U_tUX-nWvzC-ex9nM4aZOHdTizDus6GTUm-XTJP7SqmdKWQ8AiRrXeJet7odl7ymd7b6HEebhA4srwVaK0UXqS
_M1cErzKeA-EI50OZf00Cn4KTBa0NYtuu_dnqlMTVAgHQZU8-W4Fkj84qLyVMVqLD7EZMNeL3gd3cbO-virE5NiniHg_PNvUKS17kTHQ"}
2016/12/15 19:47:00 GET /keys HTTP/1.1
Host: kube-1.local.io:30443
2016/12/15 19:47:00 HTTP/1.1 200 OK
Content-Length: 1032
Cache-Control: max-age=18932, must-revalidate
Content-Type: application/json
Date: Thu, 15 Dec 2016 19:47:00 GMT
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "34ec10a54ea6aa0fe1445c02ebb0585ab8005b77",
"alg": "RS256",
"n": "2aWvVAARbcV0Lxjar_IsCjik5AfSi0Cn5YWpwEsnGSUO0iZwMhmBeuZCmlxAGZ2EABEY9kjCfXEk5VLS4RxgtjGpSwsI7UuOWGbIVrCUhw2qPLC1lxDbBKWuxFE0aHtM
MdksJMT_2Axt2MOjWJ4XfJwAwhjtj4WTd5CtFD-29zq3kFb_UCm-BEdYGvq87Kxpi2mC40EA7LqSovcblDn7ZOSVkww0dRmBf1Dp0ubauqeekbATWhoEPowLq5nm-pvpG0plxrsVEn5E
qcKBeletWZSyIBmFcpP0PJgjXXI6w60LnkTVv2N5cJ4sKe1OC9ttGgVprZmdOO0XcPSKr2qw6Q",
"e": "AQAB"
},
{
"use": "sig",
"kty": "RSA",
"kid": "a9c07d84a51fa93edfc6cc5c010be12021ebfa78",
"alg": "RS256",
"n": "02eb_CvYVuMTeOXe0Vfx30JUIoZtgDud-Zx9QyN1uRDPJFV5gPbiqPKSZdhmAAkKzg7xwLHuKQqSxkAoStvwLHynPdN9qrNoKwwIPZ5ZI50647UhsjrMeN6_uEnghg3K
18RSwZKmNYl57nBOG5wkAjk-0XVimPhMYwOw3v6Kx8p4Xqvkdfd3G-yIP1TOCOL27O705Dswo52g6c9EhGHBjnHTyU_dGNqsOH7Dd3xlNmLd3_-DWcsxIkGv76peIfFdo5OZRNoWgp-t
eg8X99SzUbKmCSkgLnsvykE3DzhBZ8ILgoWxGtzkk2PJZL22bwbxQb-tCCAyXAxKRufqXuDW4Q",
"e": "AQAB"
}
]
}
here the token I get
Token:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjM0ZWMxMGE1NGVhNmFhMGZlMTQ0NWMwMmViYjA1ODVhYjgwMDViNzcifQ.eyJpc3MiOiJodHRwczovL2t1YmUtMS5sb2NhbC5pbzozMDQ0MyIsInN1YiI6ImtleW9sayIsImF1ZCI6ImV4YW1wbGUtYXBwIiwiZXhwIjoxNDgxOTE3NjIwLCJpYXQiOjE0ODE4MzEyMjAsImVtYWlsIjoia2V5b2xrQGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoia2V5b2xrIn0.JOoGs1c9ewp3eNq1Fy_Mvtzp6ytQoYOXVFVC5NhOsLUKmK1DEqrl5iI8C4SZPOHIJQDyJJIYS_VvWiF8otywG60gp5YwFCYblNp2t6wxgrD2QevsBIsmIZssJLKAF-4wj9L2pLb4Yg4U_7oiD-jqPdk-U_tUX-nWvzC-ex9nM4aZOHdTizDus6GTUm-XTJP7SqmdKWQ8AiRrXeJet7odl7ymd7b6HEebhA4srwVaK0UXqS_M1cErzKeA-EI50OZf00Cn4KTBa0NYtuu_dnqlMTVAgHQZU8-W4Fkj84qLyVMVqLD7EZMNeL3gd3cbO-virE5NiniHg_PNvUKS17kTHQ
Claims:
{
"iss": "https://kube-1.local.io:30443",
"sub": "keyolk",
"aud": "example-app",
"exp": 1481917620,
"iat": 1481831220,
"email": "[email protected]",
"email_verified": true,
"name": "keyolk"
}
Refresh Token:
5pi3my6n3cxnzxwqght76ovcvm

@ericchiang
oh my,
why I didnt see that;
And Could you inform me how I can enable more logs ?
2016/12/15 21:24:48 Failed to login user: ldap: failed to query groups: ldap: search failed: LDAP Result Code 32 "No Such Object":
below is my group info in LDAP
# LDIF Export for ou=groups,dc=local,dc=io
# Server: localhost (localhost)
# Search Scope: sub
# Search Filter: (&(objectClass=posixGroup)(memberUid=keyolk))
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on December 14, 2016 2:52 pm
# Version: 1.2.3
version: 1
# Entry 1: cn=cnct,ou=groups,dc=local,dc=io
dn: cn=cnct,ou=groups,dc=local,dc=io
cn: cnct
This looks wrong.
baseDN: ou=groups,dc=example,dc=com
Please review https://github.com/coreos/dex/blob/master/Documentation/ldap-connector.md#example-mapping-a-schema-to-a-search-config
@ericchiang
arghh...... how I did silly.
Thanks alot, it works.
Most helpful comment