K
Q

Mandate Group Search Condition in Dex LDAP Coonector

10/7/2019

I am using Dex as our Identity provider and connecting it to LDAP. Below is my ldap config in Dex:

connectors:
- type: ldap
 id: ldap
 name: LDAP
 config:
   host: myhost.staging.com:636
   insecureNoSSL: false
   insecureSkipVerify: false
   bindDN: cn=prometheus-proxy,ou=serviceaccounts,dc=staging,dc=comp,dc=com
   bindPW: 'prometheus'
   rootCA: /etc/dex/ldap/ca-bundle.pem
   userSearch:
     baseDN: ou=people,dc=staging,dc=comp,dc=com
     filter: "(objectClass=person)"
     username: uid
     idAttr: uid
     emailAttr: mail
     nameAttr: uid
   groupSearch:
     baseDN: ou=appgroups,dc=staging,dc=comp,dc=com
     filter: "(objectClass=groupOfMembers)"
     userAttr: DN
     groupAttr: member
     nameAttr: cn

And below is a sample userSearch & groupSearch Result:

dn: uid=swedas01,ou=people,dc=staging,dc=comp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Sweta Das
gecos: Sweta Das
gidNumber: 50000
givenName: Sweta
mail: Sweta.Das@comp.com
sn: Das
uid: swedas01
memberOf: cn=jenkins,ou=appgroups,dc=staging,dc=comp,dc=com
homeDirectory: /home/swedas01

dn: cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com
objectClass: top
objectClass: groupOfMembers
cn: prometheus
member: uid=testl01,ou=people,dc=staging,dc=comp,dc=com

When I login to my Prometheus instance which uses the above config, even though my userID is not part of the Group that is being used ie Prometheus, I am still able to login.

Dex logs shows there is no groups associated with my id.

time="2019-10-07T19:05:48Z" level=info msg="performing ldap search ou=people,dc=staging,dc=comp,dc=com sub (&(objectClass=person)(uid=swedas01))"
time="2019-10-07T19:05:48Z" level=info msg="username \"swedas01\" mapped to entry uid=swedas01,ou=people,dc=staging,dc=comp,dc=com"
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com sub (&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))"
time="2019-10-07T19:05:48Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))\" returned no groups"
time="2019-10-07T19:05:48Z" level=info msg="login successful: connector \"ldap\", username=\"swedas01\", email=\"Sweta.Das@comp.com\", groups=[]"

But why is it still allowing me to login? Is there any way I can mandate this setting if group serach returns empty, login should fail?

-- swetad90
kubernetes
openid-connect
openid-dex
openldap

Similar Questions

How do I use openshift/client-go with Kubernetes fake unit test?
How grpc-health-probe (gRPC health checking on Kubernetes) differentiates between liveness and readiness probes
Do not allow two pods of the same application on same node in kubernetes
AWS CDK: tagging existing subnets
The etcdserver throws warnings of request 'took to long'
How can i create mutiple nginx ingress controller in kubernetes
Kubernetes Pod AntiAffinity behaviour with Node selector
nginx.ingress.kubernetes.io/rewrite-target can't regex capture url parameters
Custom nginx.conf from ConfigMap in Kubernetes

1 Answer

10/13/2019

I am still not sure if this is the right answer. But as far as I could understood, Dex's group search is just for ldap search. It returns the groups a user is memberof. Once you get the groups back, you can put RBAC policies on those group to control what kind of access you want to give to the user.

However, for tools which do not have any auth methods of its ownn(eg Prometheus), I am still not sure how to implement ldap group auth!

-- swetad90
Source: StackOverflow