oops typo ,,, thats base64 ... not base63 ofcourse Op di 28 jan 2025 om 22:26 schreef Rob Verduijn <[email protected]>:
> Thanx... > > I slightly modified it and it worked like a charm (hope the indention > doesn't fubar to much) > > Cheers > Rob > > Here is the config that works for me. > > dex.config: | > connectors: > - type: ldap > name: iesprd-ipa-1 > id: ldap > config: > # Ldap server address > host: ipa.example.com:636 > insecureNoSSL: false > insecureSkipVerify: true > rootCADATA: <base63 encoded content of the ca.crt pem file> > # Variable name stores ldap bindDN in argocd-secret > bindDN: "uid=reader,cn=sysaccounts,cn=etc,dc=example,dc=com" > # Variable name stores ldap bind password in argocd-secret > bindPW: $user-idp-bind-password:bindPassword > usernamePrompt: Username > # Ldap user search attributes > userSearch: > # Would translate to the query > "(&(objectClass=posixAccount)(uid=<username>))". > baseDN: "cn=users,cn=accounts,dc=example,dc=com" > filter: "(objectClass=posixAccount)" > username: uid > idAttr: uid > # Required. Attribute to map to Email. > emailAttr: mail > # Entity attribute to map to display name of users. > # Ldap group search attributes > groupSearch: > baseDN: "cn=groups,cn=accounts,dc=example,dc=com" > filter: "(objectClass=group)" > userMatchers: > - userAttr: uid > groupAttr: member > nameAttr: name > > > > > > > > Op ma 27 jan 2025 om 15:28 schreef Tomasz Torcz via FreeIPA-users < > [email protected]>: > >> On Mon, Jan 27, 2025 at 02:10:41PM +0100, Rob Verduijn via FreeIPA-users >> wrote: >> > Hi, >> > >> > Anybody who has an example of the argocd dex configuration that uses >> ipa as >> > an external authentication provider ? >> >> I'm using following snippet to authenticate directly in FreeIPA's LDAP: >> >> #v+ >> connectors: >> - type: ldap >> id: pbrk-freeipa >> name: PBRK FreeIPA >> config: >> host: kaitain.pipebreaker.pl >> startTLS: false >> insecureNoSSL: true >> bindDN: uid=svc-argodex,cn=sysaccounts,cn=etc,dc=pipebreaker,dc=pl >> bindPW: $dex.ldap.pbrk-freeipa.bindPW >> usernamePrompt: PBRK username >> userSearch: >> baseDN: cn=users,cn=accounts,dc=pipebreaker,dc=pl >> username: uid >> idAttr: uid >> emailAttr: mail >> # on FreeIPA, cn equals Full Name >> nameAttr: cn >> #nameAttr: givenName >> # see https://github.com/dexidp/dex/issues/1873 if you want to >> mess with groups >> groupSearch: >> baseDN: cn=groups,dc=pipebreaker,dc=pl >> filter: "(objectClass=group)" >> userMatchers: >> - userAttr: uid >> groupAttr: member >> nameAttr: name >> #v- >> >> You would need to create a system user in LDAP (`bindDN` in the snippet >> above.) >> Also the mapping is more verbose that needed, as I have few more >> services authenticating with DEX (Grafana, Headlamp, kube-ops-view etc.) >> >> -- >> Tomasz Torcz Once you’ve read the dictionary, >> @ttorcz:pipebreaker.pl every other book is just a remix. >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
