In this article, we describe issues frequently encountered when configuring the Dex LDAP connector in Konvoy. Unless otherwise stated, all the logged events we are referring to in this document are from dex-kubeaddons-xxxx-yyy pods and can be collected with the kubectl command:
kubectl logs dex-kubeaddons-xxxxx-yyyy -n kubeaddons --follow
Missing a required attribute
As the Dex LDAP connector requires user entries to have an email attribute when the LDAP user does not contain the email attribute, the following event is logged when the user attempts to log in:
time="2021-01-25T20:46:31Z" level=error msg="Failed to login user: ldap: entry \"cn=user1,cn=konvoy_users,dc=mydomain,dc=com\" missing following required attribute(s): [\"mail\"]"
In this case, the LDAP server administrator has to configure the email attribute for the user.
Network errors
When the LDAP service is not running, a connection refused error is returned as can be seen in the following event:
time="2021-01-25T22:51:10Z" level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": dial tcp 192.168.2.17:389: connect: connection refused"
If the Dex LDAP connector cannot connect with the LDAP service due to a firewall blocking the traffic, the following event is logged:
time="2021-02-25T16:22:00Z" level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": dial tcp 192.168.2.17:389: connect: no route to host"
User not authorized to access the Konvoy operations portal
The following events are logged when the user does not have permission to access the Konvoy operations portal. To fix this issue, the user must be granted access to the ops portal as described in our documentation :
time="2021-01-27T21:48:02Z" level=debug msg="authorizing user: user1@mydomain.com, groups: [system:authenticated]" source_ip=192.168.2.243 time="2021-01-27T21:48:02Z" level=info msg="user user1@mydomain.com for is not authorized to `GET` in /ops/portal/" source_ip=192.168.2.243
Users/Groups search filter returned no results
This is the most frequent issue encountered. It happens when there is no user that matches the search filter definition. In this case, the filter should be redefined according to the LDAP structure.
time="2021-01-22T22:13:34Z" level=info msg="performing ldap search dc=sadielo,dc=network sub (&(objectClass=inetOrgPerson)(konvoyu1=konvoyu1))" time="2021-01-22T22:13:34Z" level=error msg="ldap: no results returned for filter: \"(&(objectClass=inetOrgPerson)(konvoyu1=konvoyu1))\""
The ldapsearch command is very useful when reviewing the structure of the LDAP directory and configuring the search filters:
> ldapsearch -H ldaps://ldap.jumpcloud.com:636 -x -b "o=,dc=jumpcloud,dc=com" -D "uid=,ou=Users,o=,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"
Invalid credentials
The following event is logged when the LDAP binding user or its password does not match the credentials in the LDAP server:
time="2021-02-24T00:34:16Z" level=error msg="Failed to login user: ldap: initial bind for user "uid=,ou=Users,o=,dc=jumpcloud,dc=com\" failed: LDAP Result Code 49 \"Invalid Credentials\": "
The LDAP binding user credentials are defined with the parameters:
bindDN: uid=,ou=Users,o=,dc=jumpcloud,dc=com bindSecretRef: name: ldap-password
Internal Server Error
When the Dex LDAP connector is configured to connect with the LDAP service using TLS (spec.ldap.host: ), a trusted root certificate must be specified with the rootCA parameter, as described in this article.
If the location of the root certificate is not specified correctly, or the root certificate referred is not trusted (i.e, self-signed certificate), the following event is logged:
time="2021-02-20T00:34:51Z" level=error msg="Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": x509: certificate signed by unknown authority"
In this case, the user can verify whether the CA certificate specified in the connector definition file is the correct CA that signed the LDAP server certificate.
openssl s_client -connect ldap.server.com:636 -showcerts