In this article, we describe issues frequently encountered when configuring the Dex LDAP connector in DKP. Unless otherwise stated, all the logged events we are referring to in this document are from dex-xxxx-yyy pods and can be collected with the kubectl command:
kubectl logs deployment/dex -n kommander --follow
Missing a required attribute
As the Dex LDAP connector requires user entries to have an email attribute when the LDAP user does not contain the email attribute, the following event is logged when the user attempts to log in:
time="2021-01-25T20:46:31Z" level=error msg="Failed to login user: ldap: entry \"cn=user1,cn=konvoy_users,dc=mydomain,dc=com\" missing following required attribute(s): [\"mail\"]"
In this case, the LDAP server administrator has to configure the email attribute for the user.
Network errors
When the LDAP service is not running, a connection refused error is returned as can be seen in the following event:
time="2021-01-25T22:51:10Z" level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": dial tcp 192.168.2.17:389: connect: connection refused"
If the Dex LDAP connector cannot connect with the LDAP service due to a firewall blocking the traffic, the following event is logged:
time="2021-02-25T16:22:00Z" level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": dial tcp 192.168.2.17:389: connect: no route to host"
Users/Groups search filter returned no results
This is the most frequent issue encountered. It happens when there is no user that matches the search filter definition. In this case, the filter should be redefined according to the LDAP structure.
time="2024-02-14T16:44:38Z" level=info msg="performing ldap search dc=example,dc=com sub (&(objectClass=inetOrgPerson)(uid=nobody))"
time="2024-02-14T16:44:38Z" level=error msg="ldap: no results returned for filter: \"(&(objectClass=inetOrgPerson)(uid=nobody))\""
The ldapsearch command is very useful when reviewing the structure of the LDAP directory and configuring the search filters:
ldapsearch -x -W -D "cn=read-only-admin,dc=example,dc=com" -b "dc=example,dc=com" -H ldap://ldap.forumsys.com:389
Invalid credentials
The following event is logged when the LDAP binding user or its password does not match the credentials in the LDAP server:
time="2021-02-24T00:34:16Z" level=error msg="Failed to login user: ldap: initial bind for user "uid=,ou=Users,o=,dc=jumpcloud,dc=com\" failed: LDAP Result Code 49 \"Invalid Credentials\": "
The LDAP binding user credentials are defined with the parameters:
bindDN: cn=read-only-admin,dc=example,dc=com bindSecretRef: name: ldap-password
Internal Server Error
When the Dex LDAP connector is configured to connect with the LDAP service using TLS (spec.ldap.host: ), a trusted root certificate must be specified with the rootCA parameter, as described in this article.
If the location of the root certificate is not specified correctly, or the root certificate referred is not trusted (i.e, self-signed certificate), the following event is logged:
time="2021-02-20T00:34:51Z" level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": x509: certificate signed by unknown authority"
In this case, the user can verify whether the CA certificate specified in the connector definition file is the correct CA that signed the LDAP server certificate.
openssl s_client -connect ldap.forumsys.com:389 -showcerts
Inspecting the configuration when you cannot access the UI
If you are having troubles logging in to access the UI, but still have kubectl access, you can inspect the dex connector configuration by using the following command:
kubectl get connectors.dex.mesosphere.io -n kommander -oyaml