Thanx... I slightly modified it and it worked like a charm (hope the indention doesn't fubar to much)
Cheers Rob Here is the config that works for me. dex.config: | connectors: - type: ldap name: iesprd-ipa-1 id: ldap config: # Ldap server address host: ipa.example.com:636 insecureNoSSL: false insecureSkipVerify: true rootCADATA: <base63 encoded content of the ca.crt pem file> # Variable name stores ldap bindDN in argocd-secret bindDN: "uid=reader,cn=sysaccounts,cn=etc,dc=example,dc=com" # Variable name stores ldap bind password in argocd-secret bindPW: $user-idp-bind-password:bindPassword usernamePrompt: Username # Ldap user search attributes userSearch: # Would translate to the query "(&(objectClass=posixAccount)(uid=<username>))". baseDN: "cn=users,cn=accounts,dc=example,dc=com" filter: "(objectClass=posixAccount)" username: uid idAttr: uid # Required. Attribute to map to Email. emailAttr: mail # Entity attribute to map to display name of users. # Ldap group search attributes groupSearch: baseDN: "cn=groups,cn=accounts,dc=example,dc=com" filter: "(objectClass=group)" userMatchers: - userAttr: uid groupAttr: member nameAttr: name Op ma 27 jan 2025 om 15:28 schreef Tomasz Torcz via FreeIPA-users < [email protected]>: > On Mon, Jan 27, 2025 at 02:10:41PM +0100, Rob Verduijn via FreeIPA-users > wrote: > > Hi, > > > > Anybody who has an example of the argocd dex configuration that uses ipa > as > > an external authentication provider ? > > I'm using following snippet to authenticate directly in FreeIPA's LDAP: > > #v+ > connectors: > - type: ldap > id: pbrk-freeipa > name: PBRK FreeIPA > config: > host: kaitain.pipebreaker.pl > startTLS: false > insecureNoSSL: true > bindDN: uid=svc-argodex,cn=sysaccounts,cn=etc,dc=pipebreaker,dc=pl > bindPW: $dex.ldap.pbrk-freeipa.bindPW > usernamePrompt: PBRK username > userSearch: > baseDN: cn=users,cn=accounts,dc=pipebreaker,dc=pl > username: uid > idAttr: uid > emailAttr: mail > # on FreeIPA, cn equals Full Name > nameAttr: cn > #nameAttr: givenName > # see https://github.com/dexidp/dex/issues/1873 if you want to > mess with groups > groupSearch: > baseDN: cn=groups,dc=pipebreaker,dc=pl > filter: "(objectClass=group)" > userMatchers: > - userAttr: uid > groupAttr: member > nameAttr: name > #v- > > You would need to create a system user in LDAP (`bindDN` in the snippet > above.) > Also the mapping is more verbose that needed, as I have few more > services authenticating with DEX (Grafana, Headlamp, kube-ops-view etc.) > > -- > Tomasz Torcz Once you’ve read the dictionary, > @ttorcz:pipebreaker.pl every other book is just a remix. > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
