Help troubleshooting setup of DEX connector to Windows Active Directory

[Greg Waines]

Hey ... warning, I'm new to DEX ...

I am getting the following error from kubelogin:

[sysadmin@controller-0 wad(keystone_admin)]$ kubelogin

error: error while authentication: could not create an OIDC client: could not discovery the OIDC issuer: Get https://yow-gwaines-d1.corp.ad.wrs.com:32000/dex/.well-known/openid-configuration: read tcp 10.10.10.3:52938->128.224.141.44:32000: read: connection reset by peer

[sysadmin@controller-0 wad(keystone_admin)]$ 

Looking for help in next steps of debugging what is wrong with my setup.

any help would be appreciated,

thanks,

Greg.

DETAILS OF MY SETUP

---------------------------------

I have a working Windows Active Directory setup ... I have tested doing user logins under its domain with a separate windows client machine.  So that is working.

I am following the DEX instructions at: 

    https://github.com/dexidp/dex/blob/master/Documentation/connectors/kubelogin-activedirectory.md 

         i.e. Integration kubelogin and Active Directory

    AND

    https://github.com/dexidp/dex/blob/master/Documentation/kubernetes.md

         i.e. Kubernetes authentication through dex

... i.e. as want to run dex under kubernetes.

I generated the certs for dex with https://github.com/dexidp/dex/blob/master/examples/k8s/gencert.sh ... updating the alt names for my deployment.

Restarted my kube-apiserver with the following arguments:

--oidc-issuer-url=https://yow-gwaines-d1.corp.ad.wrs.com:32000 

--oidc-client-id=kubernetes 

--oidc-ca-file=/etc/ssl/certs/dex-ca.pem 

--oidc-username-claim=email 

--oidc-groups-claim=group

NOTE: the dns name resolves in my environment.

yow-gwaines-d1.corp.ad.wrs.com is my kubernetes cluster where I will run dex

I used the dex.yaml file to launch dex in container ... changing the config map to have:

    issuer: https://yow-gwaines-d1.corp.ad.wrs.com:32000/dex

    storage:

      type: kubernetes

      config:

        inCluster: true

    web:

      https: 0.0.0.0:32000

      tlsCert: /etc/dex/tls/tls.crt

      tlsKey: /etc/dex/tls/tls.key

    connectors:

    - type: ldap

      name: OpenLDAP

      id: ldap

      config:

        host: ad.cumulus.wrs.com:636

        # No TLS for this setup.

        insecureNoSSL: false

        insecureSkipVerify: true

        # This would normally be a read-only user.

        bindDN: cn=Administrator,cn=users,dc=corp,dc=cumulus,dc=wrs,dc=com

        bindPW: St8rlingX*

        usernamePrompt: Email Address

    

        userSearch:

          baseDN: cn=Users,dc=corp,dc=cumulus,dc=wrs,dc=com

          filter: "(objectClass=person)"

          username: userPrincipalName

          # "DN" (case sensitive) is a special attribute name. It indicates that

          # this value should be taken from the entity's DN not an attribute on

          # the entity.

          idAttr: DN

          emailAttr: userPrincipalName

          nameAttr: cn

    

        groupSearch:

          baseDN: cn=Users,dc=corp,dc=cumulus,dc=wrs,dc=com

          filter: "(objectClass=group)"

    

          # A user is a member of a group when their DN matches

          # the value of a "member" attribute on the group entity.

          userAttr: DN

          groupAttr: member

    

          # The group name should be the "cn" value.

          nameAttr: cn

    

    staticClients:

    - id: kubernetes

      redirectURIs:

      - 'http://localhost:8000'

      name: 'Kubernetes'

      secret: ZXhhbXBsZS1hcHAtc2VjcmV0

 

 

NOTE: the dns names all resolve in my environment.

ad.cumulus.wrs.com is my windows active directory server ... it's root domain is corp.cumulus.wrs.com

yow-gwaines-d1.corp.ad.wrs.com is my kubernetes cluster

I updated my kubectl config file with:

kubectl config set-context oidc-ctx --cluster=kubernetes --user=test

kubectl config set-credentials test   \

--auth-provider=oidc   \ 

--auth-provider-arg=idp-issuer-url=https://yow-gwaines-d1.corp.ad.wrs.com:32000/dex   \ 

--auth-provider-arg=client-id=kubernetes   \ 

--auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0   \ 

--auth-provider-arg=idp-certificate-authority-data=$(base64 -w 0 ../k8s/ssl/dex-ca.pem)  \ 

--auth-provider-arg=extra-scopes="offline_access openid profile email groups"

I grabbed kubelogin from here: https://github.com/int128/kubelogin/releases

[Greg Waines]

Any thoughts on this ?

Now trying to simplify things and just see if I can get DEX connector to talk to my Windows Active Directory.

Running DEX uncontainerized just on an ubuntu host.

Running example-app on same ubuntu host.

Using this connector setup to my Windows Active Directory Setup:

connectors:

- type: ldap

  name: OpenLDAP

  id: ldap

  config:

    host: ad.cumulus.wrs.com:389

    # No TLS for this setup.

    insecureNoSSL: true

    insecureSkipVerify: true

    # This would normally be a read-only user.

    bindDN: cn=Administrator,cn=Users,dc=corp,dc=cumulus,dc=wrs,dc=com

    bindPW: St8rlingX*

    usernamePrompt: Email Address

    userSearch:

      baseDN: cn=Users,dc=corp,dc=cumulus,dc=wrs,dc=com

      filter: "(objectClass=user)"

      username: sAMAccountName

      idAttr: sAMAccountName

      emailAttr: sAMAccountName

      nameAttr: displayName

AND DEX seems to be able to send and receive messages from my windows active directory server:

e.g.

gwaines@gwaines-VirtualBox:~/go/src/github.com/dexidp/dex$ ./bin/dex serve examples/config-wad.yaml 

time="2019-07-19T15:00:14Z" level=info msg="config issuer: http://127.0.0.1:5556/dex" 

time="2019-07-19T15:00:14Z" level=info msg="config storage: sqlite3" 

time="2019-07-19T15:00:14Z" level=info msg="config static client: Example App" 

time="2019-07-19T15:00:14Z" level=info msg="config connector: ldap" 

time="2019-07-19T15:00:14Z" level=info msg="listening (http) on 0.0.0.0:5556" 

time="2019-07-19T15:00:48Z" level=info msg="performing ldap search cn=Users,dc=corp,dc=cumulus,dc=wrs,dc=com sub (&(objectClass=user)(sAMAccountName=ka...@corp.cumulus.wrs.com))" 

time="2019-07-19T15:00:48Z" level=error msg="ldap: no results returned for filter: \"(&(objectClass=user)(sAMAccountName=ka...@corp.cumulus.wrs.com))\"" 

... but not getting any results back from search.

And I do have a kawhi user defined in my windows active directory server:

e.g.

Any ideas ?

Greg.

[Greg Waines]

By using 'ldapsearch', was able to get the following dex ldap connector setup to work:

connectors:

- type: ldap

  name: OpenLDAP

  id: ldap

  config:

    host: ad.cumulus.wrs.com:389

    # No TLS for this setup.

    insecureNoSSL: true

    insecureSkipVerify: true

    # This would normally be a read-only user.

    bindDN: cn=Administrator,cn=Users,dc=corp,dc=cumulus,dc=wrs,dc=com

    bindPW: St8rlingX*

    usernamePrompt: Username

    userSearch:

      baseDN: ou=Users,ou=Titanium,dc=corp,dc=cumulus,dc=wrs,dc=com

      filter: "(objectClass=user)"

      username: sAMAccountName

      idAttr: sAMAccountName

      emailAttr: sAMAccountName

      nameAttr: displayName

GReg.

On Thursday, July 18, 2019 at 9:44:22 AM UTC-4, Greg Waines wrote: