[caasp-beta] Dex AD group membership not showing

Donaldson, Ian Ian.Donaldson at NGIC.COM
Wed Aug 7 12:13:08 MDT 2019 

The issue was not with Dex. The issue is that gangway by default doesn't have the group scope included! This should really be added to the default yaml shipped by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s.

I found that this is missing from gangway, and prevents group from even being searched.

Gangway yaml requires:
    scopes: ["openid", "profile", "email", "offline_access", "groups"]

Once I added the scope line (it wasn't there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter.

        usernamePrompt: User Name
        userSearch:
          baseDN:  OU=NGIC,DC=NGIC,DC=COM
          filter: "(objectClass=person)"
          username: sAMAccountName
          idAttr: sAMAccountName
          emailAttr: mail
          nameAttr: DN
        groupSearch:
          baseDN: OU=NGIC,DC=NGIC,DC=COM
          filter: "(objectCategory=group)"
          userAttr: DN
          groupAttr: member
          nameAttr: sAMAccountName




Ian Donaldson
Unix Systems Administrator
Office: 336-435-3983
ian.donaldson at NGIC.com
[cid:image001.png at 01CF32FA.7C387000]


From: Donaldson, Ian
Sent: Tuesday, August 6, 2019 11:58 AM
To: 'caasp-beta at lists.suse.com' <caasp-beta at lists.suse.com>
Subject: Dex AD group membership not showing

How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to...

2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))"
2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM"
2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM<mailto:Ian.Donaldson at NGIC.COM>\", groups=[]"
[CL test] root at plctapconwc001:/var/log/containers #

Here is my config:
  # This is a sample with LDAP as connector.
   # Requires a update to fulfill your environment.
   connectors:
   - type: ldap
     id: AD
     name: AD
     config:
       host: adldap.ngic.com:389<http://adldap.ngic.com:389>
       insecureNoSSL: true
       insecureSkipVerify: true
       startTLS: true
       bindDN: "CN=my bind account"
       bindPW: 'password'
       usernamePrompt: User Name
       userSearch:
         baseDN:  OU=NGIC,DC=NGIC,DC=COM
         filter: "(objectClass=person)"
         username: sAMAccountName
         #idAttr: DN
         #emailAttr: sAMAccountName
         #nameAttr: cn
         idAttr: DN
         emailAttr: mail
         nameAttr: cn
       groupSearch:
         baseDN: OU=NGIC,DC=NGIC,DC=COM
         filter: "(objectClass=group)"
         #userAttr: distinguishedName
         #groupAttr: member
         #nameAttr: sAMAccountName
         #      username: userPrincipalName
         userAttr: DN
         groupAttr: member
         nameAttr: cn

----------------------------------------------------------------------
Note:  Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information
contained in this message may be privileged and confidential and protected from disclosure.  If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify us immediately by replying
to the message and deleting it from your computer.  Thank you.

----------------------------------------------------------------------
Note:  Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such 
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information 
contained in this message may be privileged and confidential and protected from disclosure.  If the reader of this message is not the intended recipient, 
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution 
or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify us immediately by replying 
to the message and deleting it from your computer.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20190807/b2bc652e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2857 bytes
Desc: image001.png
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20190807/b2bc652e/attachment.png>

More information about the caasp-beta mailing list