2017-08-22 23:06:16 +05:30
|
|
|
issuer: http://127.0.0.1:5556/dex
|
|
|
|
storage:
|
|
|
|
type: sqlite3
|
|
|
|
config:
|
|
|
|
file: examples/dex.db
|
|
|
|
web:
|
|
|
|
http: 0.0.0.0:5556
|
|
|
|
|
|
|
|
connectors:
|
|
|
|
- type: ldap
|
|
|
|
name: OpenLDAP
|
|
|
|
id: ldap
|
|
|
|
config:
|
2021-01-15 22:35:39 +05:30
|
|
|
# The following configurations seem to work with OpenLDAP:
|
|
|
|
#
|
|
|
|
# 1) Plain LDAP, without TLS:
|
2020-07-13 21:03:35 +05:30
|
|
|
host: localhost:389
|
2017-08-22 23:06:16 +05:30
|
|
|
insecureNoSSL: true
|
2021-01-15 22:35:39 +05:30
|
|
|
#
|
|
|
|
# 2) LDAPS without certificate validation:
|
|
|
|
#host: localhost:636
|
|
|
|
#insecureNoSSL: false
|
|
|
|
#insecureSkipVerify: true
|
|
|
|
#
|
|
|
|
# 3) LDAPS with certificate validation:
|
|
|
|
#host: YOUR-HOSTNAME:636
|
|
|
|
#insecureNoSSL: false
|
|
|
|
#insecureSkipVerify: false
|
|
|
|
#rootCAData: 'CERT'
|
|
|
|
# ...where CERT="$( base64 -w 0 your-cert.crt )"
|
2017-11-07 14:58:21 +05:30
|
|
|
|
2017-08-22 23:06:16 +05:30
|
|
|
# This would normally be a read-only user.
|
|
|
|
bindDN: cn=admin,dc=example,dc=org
|
|
|
|
bindPW: admin
|
2017-11-07 14:58:21 +05:30
|
|
|
|
|
|
|
usernamePrompt: Email Address
|
|
|
|
|
2017-08-22 23:06:16 +05:30
|
|
|
userSearch:
|
|
|
|
baseDN: ou=People,dc=example,dc=org
|
|
|
|
filter: "(objectClass=person)"
|
|
|
|
username: mail
|
|
|
|
# "DN" (case sensitive) is a special attribute name. It indicates that
|
|
|
|
# this value should be taken from the entity's DN not an attribute on
|
|
|
|
# the entity.
|
|
|
|
idAttr: DN
|
|
|
|
emailAttr: mail
|
|
|
|
nameAttr: cn
|
2018-04-27 13:58:52 +05:30
|
|
|
|
2017-08-22 23:06:16 +05:30
|
|
|
groupSearch:
|
|
|
|
baseDN: ou=Groups,dc=example,dc=org
|
|
|
|
filter: "(objectClass=groupOfNames)"
|
2018-04-27 13:58:52 +05:30
|
|
|
|
connector/ldap: add multiple user to group mapping
Add an ability to fetch user's membership from
groups of a different type by specifying multiple
group attribute to user attribute value matchers
in the Dex config:
userMatchers:
- userAttr: uid
groupAttr: memberUid
- userAttr: DN
groupAttr: member
In other words the user's groups can be fetched now from
ldap structure similar to the following:
dn: cn=john,ou=People,dc=example,dc=org
objectClass: person
objectClass: inetOrgPerson
sn: doe
cn: john
uid: johndoe
mail: johndoe@example.com
userpassword: bar
dn: cn=qa,ou=Groups,ou=Portland,dc=example,dc=org
objectClass: groupOfNames
cn: qa
member: cn=john,ou=People,dc=example,dc=org
dn: cn=logger,ou=UnixGroups,ou=Portland,dc=example,dc=org
objectClass: posixGroup
gidNumber: 1000
cn: logger
memberUid: johndoe
Signed-off-by: Vitaliy Dmitriev <vi7alya@gmail.com>
2020-01-03 15:10:08 +05:30
|
|
|
userMatchers:
|
|
|
|
# A user is a member of a group when their DN matches
|
|
|
|
# the value of a "member" attribute on the group entity.
|
|
|
|
- userAttr: DN
|
|
|
|
groupAttr: member
|
2018-04-27 13:58:52 +05:30
|
|
|
|
2017-08-22 23:06:16 +05:30
|
|
|
# The group name should be the "cn" value.
|
|
|
|
nameAttr: cn
|
|
|
|
|
|
|
|
staticClients:
|
|
|
|
- id: example-app
|
|
|
|
redirectURIs:
|
|
|
|
- 'http://127.0.0.1:5555/callback'
|
|
|
|
name: 'Example App'
|
|
|
|
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
|