Dex(idp) instead of KeyCloak for (in this case) LDAP/AD

[einhirn]

LDAP auth in GLv3 using Dex on a host combining Scalelite Loadbalancer and Greenlight.

Mentioning #4817 for those who think "goauthentiq" is perhaps a little too hard...

For LDAP details look at https://dexidp.io/docs/connectors/ldap/
For Database/Storage-Stuff look at https://dexidp.io/docs/storage/

Dex-Config without the secrets as a pointer:

Config-files

Dex-Config

issuer: https://<external_url>/dex

storage:
  type: postgres
  config:
    host: <docker service name>
    port: 5432
    database: dex_db
    user: postgres
    password: <use same PW as for Greenlight?>
    ssl:
      mode: disable #Local connection only

web:
  http: 0.0.0.0:5556

connectors:
- type: ldap
  name: OpenLDAP
  id: ldap
  config:
    # The following configurations seem to work with OpenLDAP:
    #
    # 3) LDAPS with certificate validation:
    host: <LDAP HOST>:636
    insecureNoSSL: false
    insecureSkipVerify: false
    #rootCAData: 'CERT'
    # ...where CERT="$( base64 -w 0 your-cert.pem )"
	# alternatively mount /etc/ssl/certs/ca-certificates.crt into the container and point to it with
	# rootCA: /etc/dex/ldap.ca

    # This would normally be a read-only user.
    bindDN: <...>
    bindPW: <...>

    # i18n!
    usernamePrompt: Benutzerkennung 

    userSearch:
      baseDN: ou=people,dc=example,dc=com
      filter: "(&(objectClass=person))"
      username: uid
      # "DN" (case sensitive) indicates that this value should be the entity's DN 
      idAttr: uid
      emailAttr: mail
      nameAttr: cn

staticClients:
- id: greenlight-v3
  redirectURIs:
  - 'https://<Greenlight external URL>/auth/openid_connect/callback'
  name: 'Greenlight v3'
  secret: <Same as in GLv3 env>

Greenlight-Environment

#...
### EXTERNAL AUTHENTICATION METHODS
#
# Same as in Dex-Config:
OPENID_CONNECT_CLIENT_ID=greenlight-v3
OPENID_CONNECT_CLIENT_SECRET=<same as in Dex Config>
OPENID_CONNECT_ISSUER=https://<external_url>/dex
OPENID_CONNECT_REDIRECT=https://<Greenlight eternal URL>
#...

Docker-compose section for dex

  dex:
    image: dexidp/dex:v2.36.0
    container_name: dex
    volumes:
      - /opt/dex/config-ldap.yaml:/etc/dex/config.docker.yaml
    # perhaps use host's CA-Certificates
    #  - /etc/ssl/certs/ca-certificates.crt:/etc/dex/ldap.ca

The above uses the same postgres as GLv3, you just need to create a DB for Dex:

create database dex_db
grant all privileges on database dex_db to postgres;

If you need to migrate users from GLv2, you need to update the "External ID" field in the Database. This query works for Dex's ldap Connector and external_ids <127 characters. With GLv2 and LDAP the "external ID" field will be the LDAP object's DN by default. But you can modify migrations.rake to change it to e.g. the user ID as configured above with idAttr: uid.

update users set external_id=rtrim(encode((chr(10)||chr(length(external_id))|| external_id ||chr(18)||chr(4)||'ldap')::bytea,'base64'),'=');

Perhaps this can also be done directly with migrations.rake...

If you want to check your generated external IDs, this helps https://protobuf-decoder.netlify.app/. The result should conform to this Proto:

message IDTokenSubject {
  string user_id = 1;
  string conn_id = 2;
}