Skip to content

Dex and LDAP Docker setup

Pre-requisites

  • You have pre-installed the docker
  • You have logged into the docker hub successfully to avoid hitting rate limits
  • Alternatively, you can pull the images to a container registry that you have access to. In that case please update the image location in the docker commands

Setup LDAP as an identity provider

Install ldap-utils

# Ubuntu
sudo apt install ldap-utils -y

# Centos
sudo yum install -y openldap-clients

Start dockerized LDAP server

export HOST_IP=$(ifconfig | grep "192.168.10" | awk '{print $2}')

sudo docker run --name tanzu-ldap -p 389:389 -p 636:636 \
--env LDAP_TLS_VERIFY_CLIENT=try \
--env LDAP_ORGANISATION="VMware Tanzu" \
--env LDAP_DOMAIN="vmware.tanzu" \
--env LDAP_ADMIN_PASSWORD="changeme" \
--detach osixia/openldap:latest

Create Test LDAP users and groups

cat > $HOME/ldap-records.ldif <<EOF
# USERS
# alana, vmware.tanzu
dn: cn=alana,dc=vmware,dc=tanzu
objectClass: simpleSecurityObject
objectclass: iNetOrgPerson
sn: op
cn: alana
mail: alana@vmware.com
description: Alana
userPassword: changeme

# naomi, vmware.tanzu
dn: cn=naomi,dc=vmware,dc=tanzu
objectClass: simpleSecurityObject
objectclass: iNetOrgPerson
sn: dev
cn: naomi
mail: naomi@vmware.com
description: Naomi
userPassword: changeme

# GROUPS, vmware.tanzu
dn: ou=groups,dc=vmware,dc=tanzu
objectClass: organizationalUnit
ou: groups

# cluster-admins, groups, vmware.tanzu
dn: cn=cluster-admins,ou=groups,dc=vmware,dc=tanzu
objectClass: groupOfNames
objectClass: top
cn: cluster-admins
description: Admin Group
member: cn=alana,dc=vmware,dc=tanzu

# cluster-devs, groups, vmware.tanzu
dn: cn=cluster-devs,ou=groups,dc=vmware,dc=tanzu
objectClass: groupOfNames
objectClass: top
cn: cluster-devs
description: developers
member: cn=naomi,dc=vmware,dc=tanzu
EOF

Add users using ldapadd

ldapadd -x -H ldap://$HOST_IP -D "cn=admin,dc=vmware,dc=tanzu" -w changeme -f ldap-records.ldif

adding new entry "cn=alana,dc=vmware,dc=tanzu"
adding new entry "cn=naomi,dc=vmware,dc=tanzu"
adding new entry "ou=groups,dc=vmware,dc=tanzu"
adding new entry "cn=cluster-admins,ou=groups,dc=vmware,dc=tanzu"
adding new entry "cn=cluster-devs,ou=groups,dc=vmware,dc=tanzu"

Setup Dex as an OIDC provider

Generate certs

mkdir -p $HOME/dex/examples/grpc-client/

wget https://raw.githubusercontent.com/dexidp/dex/master/examples/grpc-client/openssl.conf -O $HOME/dex/examples/grpc-client/openssl.conf
pushd $HOME/dex
wget https://raw.githubusercontent.com/dexidp/dex/master/examples/grpc-client/cert-gen
chmod +x cert-gen
export SAN=IP.1:127.0.0.1,IP.2:$HOST_IP
./cert-gen
popd

chmod -R 777 $HOME/dex

Generate dex config

Get the Identity provider callback URL

  • Make sure you change the REDIRECT_IP and redirectURIs in the steps below to match your setup
export REDIRECT_IP="192.168.40.13"

cat << EOF > $HOME/dex/dex-ldap-config.yml
issuer: https://$HOST_IP:5556/dex
storage:
  type: sqlite3
  config:
    file: /serve-config/dex.db
web:
  http: 0.0.0.0:5558
  https: 0.0.0.0:5556
  tlsCert: /serve-config/server.crt
  tlsKey: /serve-config/server.key
connectors:
- type: ldap
  name: OpenLDAP
  id: ldap
  config:
    host: $HOST_IP:389
    insecureNoSSL: true
    insecureSkipVerify: true
    bindDN: cn=admin,dc=vmware,dc=tanzu
    bindPW: changeme
    usernamePrompt: Email Address
    userSearch:
      baseDN: dc=vmware,dc=tanzu
      filter: "(objectClass=iNetOrgPerson)"
      username: mail
      idAttr: DN
      emailAttr: mail
      nameAttr: cn
    groupSearch:
      baseDN: ou=groups,dc=vmware,dc=tanzu
      filter: "(objectClass=groupOfNames)"
      userMatchers:
      - userAttr: DN
        groupAttr: member
      nameAttr: cn
staticClients:
- id: example-app
  redirectURIs:
  - 'https://$REDIRECT_IP/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
EOF

Run dockerized Dex

docker run --name tanzu-dex \
-v $(pwd)/dex:/serve-config \
-p 5556:5556 \
-p 5558:5558 \
--detach bitnami/dex:2.33.0 serve /serve-config/dex-ldap-config.yml

docker logs tanzu-dex
time="2022-09-09T04:50:16Z" level=info msg="Dex Version: v2.33.0-dirty, Go Version: go1.18.3, Go OS/ARCH: linux amd64"
time="2022-09-09T04:50:16Z" level=info msg="config issuer: https://192.168.10.138:5556/dex"
time="2022-09-09T04:50:16Z" level=info msg="config storage: sqlite3"
time="2022-09-09T04:50:16Z" level=info msg="config static client: Example App"
time="2022-09-09T04:50:16Z" level=info msg="config connector: ldap"
time="2022-09-09T04:50:16Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-09-09T04:50:16Z" level=info msg="keys expired, rotating"
time="2022-09-09T04:50:16Z" level=info msg="keys rotated, next rotation: 2022-09-09 10:50:16.409769341 +0000 UTC"
time="2022-09-09T04:50:16Z" level=info msg="listening (http) on 0.0.0.0:5558"
time="2022-09-09T04:50:16Z" level=info msg="listening (https) on 0.0.0.0:5556"

Cleanup

docker rm -f -v tanzu-dex
docker rm -f -v tanzu-ldap
rm -rf $HOME/dex