<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">The issue was not with Dex. The issue is that gangway by default doesn’t have the group scope included! This should really be added to the default yaml shipped
by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I found that this is missing from gangway, and prevents group from even being searched.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Gangway yaml requires:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> scopes: ["openid", "profile", "email", "offline_access",
<b>"groups"</b>]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Once I added the scope line (it wasn’t there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> usernamePrompt: User Name<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> userSearch:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> baseDN: OU=NGIC,DC=NGIC,DC=COM<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> filter: "(objectClass=person)"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> username: sAMAccountName<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> idAttr: sAMAccountName<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> emailAttr: mail<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> nameAttr: DN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> groupSearch:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> baseDN: OU=NGIC,DC=NGIC,DC=COM<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> filter: "(objectCategory=group)"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> userAttr: DN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> groupAttr: member<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> nameAttr: sAMAccountName<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">Ian Donaldson<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">Unix Systems Administrator<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">Office: 336-435-3983<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">ian.donaldson@NGIC.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><img width="200" height="37" style="width:2.0833in;height:.3854in" id="Picture_x0020_1" src="cid:image001.png@01D54D2A.3BD09BF0" alt="cid:image001.png@01CF32FA.7C387000"></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Donaldson, Ian
<br>
<b>Sent:</b> Tuesday, August 6, 2019 11:58 AM<br>
<b>To:</b> 'caasp-beta@lists.suse.com' <caasp-beta@lists.suse.com><br>
<b>Subject:</b> Dex AD group membership not showing<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to...<br>
<br>
2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))"<br>
2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM"<br>
2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"<a href="mailto:Ian.Donaldson@NGIC.COM">Ian.Donaldson@NGIC.COM</a>\", groups=[]"<br>
[CL test] root@plctapconwc001:/var/log/containers #<br>
<br>
Here is my config:<br>
# This is a sample with LDAP as connector.<br>
# Requires a update to fulfill your environment.<br>
connectors:<br>
- type: ldap<br>
id: AD<br>
name: AD<br>
config:<br>
host: <a href="http://adldap.ngic.com:389">adldap.ngic.com:389</a><br>
insecureNoSSL: true<br>
insecureSkipVerify: true<br>
startTLS: true<br>
bindDN: "CN=my bind account"<br>
bindPW: 'password'<br>
usernamePrompt: User Name<br>
userSearch:<br>
baseDN: OU=NGIC,DC=NGIC,DC=COM<br>
filter: "(objectClass=person)"<br>
username: sAMAccountName<br>
#idAttr: DN<br>
#emailAttr: sAMAccountName<br>
#nameAttr: cn<br>
idAttr: DN<br>
emailAttr: mail<br>
nameAttr: cn<br>
groupSearch:<br>
baseDN: OU=NGIC,DC=NGIC,DC=COM<br>
filter: "(objectClass=group)"<br>
#userAttr: distinguishedName<br>
#groupAttr: member<br>
#nameAttr: sAMAccountName<br>
# username: userPrincipalName<br>
userAttr: DN<br>
groupAttr: member<br>
nameAttr: cn<br>
<br>
----------------------------------------------------------------------<br>
Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such
<br>
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information
<br>
contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient,
<br>
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution
<br>
or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying
<br>
to the message and deleting it from your computer. Thank you.<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<HR>Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such <BR>
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information <BR>
contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, <BR>
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution <BR>
or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying <BR>
to the message and deleting it from your computer. Thank you.<BR>
</body>
</html>