kubernetesldapldap-queryopenid-connectopenid-dex

Groups are empty while authenticating using DEX (LDAP)


I have been trying to authenticate OIDC using DEX for LDAP. I have succeeded in authenticating but the problem is, LDAP search is not returning the groups. Following are my DEX configs and LDAP Data. Please help me out

Screenshot: Login successful, groups are empty

enter image description here

My Dex Config

# User search maps a username and password entered by a user to a LDAP entry.
userSearch:
# BaseDN to start the search from. It will translate to the query
# "(&(objectClass=person)(uid=<username>))".
baseDN: ou=People,dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
# Optional filter to apply when searching the directory.
#filter: "(objectClass=posixAccount)"
# username attribute used for comparing user entries. This will be translated
# and combine with the other filter as "(<attr>=<username>)".
username: mail
# The following three fields are direct mappings of attributes on the user entry.
# String representation of the user.
idAttr: uid
# Required. Attribute to map to Email.
emailAttr: mail
# Maps to display name of users. No default value.
nameAttr: uid

# Group search queries for groups given a user entry.
groupSearch:
# BaseDN to start the search from. It will translate to the query
# "(&(objectClass=group)(member=<user uid>))".
baseDN: dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com
# Optional filter to apply when searching the directory.
#filter: "(objectClass=posixGroup)"
# Following two fields are used to match a user to a group. It adds an additional
# requirement to the filter that an attribute in the group must match the user's
# attribute value.
userAttr: uid
groupAttr: memberUid
# Represents group name.
nameAttr: cn

My LDAP Data

dn: ou=People,dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com ou: People objectClass: organizationalUnit

dn: uid=johndoe,ou=People,dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com gecos: John Doe uid: johndoe loginShell: / bin / bash mail: john.doe@example.org homeDirectory: / home / jdoe cn: John Doe sn: Doe uidNumber: 10002 objectClass: posixAccount objectClass: inetOrgPerson objectClass: top userPassword: bar gidNumber: 10002

dn: uid=janedoe,ou=People,dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com gecos: Jane Doe uid: janedoe loginShell: / bin / bash mail: jane.doe@example.org homeDirectory: / home / jdoe cn: Jane Doe sn: Doe uidNumber: 10001 objectClass: posixAccount objectClass: inetOrgPerson objectClass: top userPassword: foo gidNumber: 10001

dn: ou=Groups,dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com ou: Groups objectClass: organizationalUnit

dn: cn=admins,ou=Groups,dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com cn: admins objectClass: posixGroup objectClass: top gidNumber: 20001 memberUid: janedoe memberUid: johndoe

dn: cn=developers,ou=Groups,dc=ec2-54-185-211-121,dc=us-west-2,dc=compute,dc=amazonaws,dc=com cn: developers objectClass: posixGroup objectClass: top gidNumber: 20002 memberUid: janedoe


Solution

  • Sorry for a late replay but I didnt know the answer until now :)

    I had the same problem, in my setup I used dex (quay.io/dexidp/dex:v2.16.0) to use MS AD. I used kubernetes 1.13 in my tests.

    To generate kubeconfig i used heptiolabs/gangway (gcr.io/heptio-images/gangway:v3.0.0) and for handle dashboard login i used pusher/oauth2_proxy (quay.io/pusher/oauth2_proxy).

    I spent a lot of time trying different ldap setups in dex but didnt get the AD groups to show up in dex log or get them to work in kubernetes, and every example I read was using only users.

    The problem and solution for me was not in the dex config, dex will request groups from ldap if you tell dex to do so. Its all in the clients. OIDC have a "concept" of scopes and I guess that most (all?) oidc clients implement it, at least both gangway and oauth2-proxy does. So the solution for me was to configure the client (gangway and oauth2-proxy in my case) so that they also ask dex for groups.

    In gangway I used the following config (including the comments)

    # Used to specify the scope of the requested Oauth authorization.
    # scopes: ["openid", "profile", "email", "offline_access"]
    scopes: ["openid", "profile", "email", "offline_access", "groups"]
    

    For oauth2-proxy I added this to the args deployment

    - args:
            - --scope=openid profile email groups
    

    And then I could use groups instead of users in my rolebindings, dont forget to also configure the api-server to use dex for its oidc.

    Hope that helps

    -Robert