On Mon, Jan 27, 2025 at 02:10:41PM +0100, Rob Verduijn via FreeIPA-users wrote:
> Hi,
>
> Anybody who has an example of the argocd dex configuration that uses ipa as
> an external authentication provider ?
I'm using following snippet to authenticate directly in FreeIPA's LDAP:
#v+
connectors:
- type: ldap
id: pbrk-freeipa
name: PBRK FreeIPA
config:
host: kaitain.pipebreaker.pl
startTLS: false
insecureNoSSL: true
bindDN: uid=svc-argodex,cn=sysaccounts,cn=etc,dc=pipebreaker,dc=pl
bindPW: $dex.ldap.pbrk-freeipa.bindPW
usernamePrompt: PBRK username
userSearch:
baseDN: cn=users,cn=accounts,dc=pipebreaker,dc=pl
username: uid
idAttr: uid
emailAttr: mail
# on FreeIPA, cn equals Full Name
nameAttr: cn
#nameAttr: givenName
# see https://github.com/dexidp/dex/issues/1873 if you want to mess
with groups
groupSearch:
baseDN: cn=groups,dc=pipebreaker,dc=pl
filter: "(objectClass=group)"
userMatchers:
- userAttr: uid
groupAttr: member
nameAttr: name
#v-
You would need to create a system user in LDAP (`bindDN` in the snippet above.)
Also the mapping is more verbose that needed, as I have few more
services authenticating with DEX (Grafana, Headlamp, kube-ops-view etc.)
--
Tomasz Torcz Once you’ve read the dictionary,
@ttorcz:pipebreaker.pl every other book is just a remix.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
