user groups from Microsoft AD not returned using ldap dex connector

[venkat-kayo]

I have gone through issues #1483 and #856 but haven't been able to solve the issue am facing.

Am using the inbuilt dex provided by Argocd

Dex details: dex Version: v2.14.0 Go Version: go1.11.3 Go OS/ARCH: linux amd64

Having issues in retrieving the groups information from Microsoft Active Directory for a logged in User. There is no uid attribute in the AD results obtained from ldapsearch for user . The oidc client which consumes this data has got the groups scope mentioned but still the group information is not available as seen from dex logs.

Below is the ldap connector content:

data:
  dex.config: |
    connectors:
      - type: ldap
        id: ldap
        name: MicrosoftAD
        config:
          host: host@AD:389
          insecureNoSSL: true
          insecureSkipVerify: true
          bindDN: bindDNuser
          bindPW: bindPW
          userSearch:
            baseDN: DC=xxx,DC=xx,DC=xx
            Username: sAMAccountName
            emailAttr: mail
            nameAttr: name
            idAttr: DN
          groupSearch:
            baseDN: ldapBaseDN
            filter: "(objectClass=group)"
            userMatchers:
            - userAttr: DN
              groupAttr: member
              searchAttr: DN
            nameAttr: cn

I observe the user is able to login but the groups to which the user belongs to are not obtained as shown below is the log obtained from the argocd-dex-server-xxx pod :

time="2020-02-12T03:23:25Z" level=info msg="config issuer: $(ARGOFQDN)/api/dex" time="2020-02-12T03:23:25Z" level=info msg="config storage: memory" time="2020-02-12T03:23:25Z" level=info msg="config static client: argo-cd" time="2020-02-12T03:23:25Z" level=info msg="config static client: argo-cd-cli" time="2020-02-12T03:23:25Z" level=info msg="config connector: ldap" time="2020-02-12T03:23:25Z" level=info msg="config skipping approval screen" time="2020-02-12T03:23:25Z" level=info msg="keys expired, rotating" time="2020-02-12T03:23:25Z" level=info msg="keys rotated, next rotation: 2020-02-12 09:23:25.352002627 +0000 UTC" time="2020-02-12T03:23:25Z" level=info msg="listening (http) on 0.0.0.0:5556" time="2020-02-12T03:23:25Z" level=info msg="listening (grpc) on 0.0.0.0:5557" time="2020-02-12T03:23:36Z" level=info msg="performing ldap search DC=xxxxxxDC=com,DC=au sub (&(objectClass=person)(SamAccountName=SAMACCOUNT-USERNAME))" connector=MicrosoftAD time="2020-02-12T03:23:36Z" level=info msg="username "SAMACCOUNT-USERNAME" mapped to entry CN=MY-CN-USERNAME,OU=xxxxxx,OU=xxxxxx,DC=xxxxx,DC=com,DC=au" connector=MicrosoftAD time="2020-02-12T03:23:36Z" level=info msg="login successful: connector "ldap", username="MY-CN-USERNAME", email="MY-EMAIL-ID", groups=[]"

Note : There is a "." only with the sAMAccountName attribute b/w the firstname and surname.

User details as seen from ldapsearch :

dn: CN=firstname surname,OU=xxxxxx,OU=xxxxx,DC=xxx,DC=xx,DC=xx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: firstname surname
sn: surname
c: xx
o: xxxxxxxxxxx
givenName: firstname
distinguishedName: CN=firstname surname,OU=xxxxxx,OU=xxxxx,DC=xxx,DC=xx,DC=xx
displayName: firstname surname
uSNCreated: 13210372
memberOf: CN=group1,OU=xxxxx, DC=xxx,DC=xx,DC=xx
memberOf: CN=group2,OU=xxxxx, DC=xxx,DC=xx,DC=xx
name: firstname surname
sAMAccountName: firstname.surname
sAMAccountType: 805306368

Group details as seen from ldapsearch:

dn: CN=Groupname,OU=xxxxx,OU=xxx,DC=xxx,DC=xx,DC=xx
objectClass: top
objectClass: group
cn: Groupname
member: CN=firstname1 surname1,OU=xxxxx,DC=xxx,DC=xx,DC=xx
member: CN=firstname2 surname2,OU=xxxxx,DC=xxx,DC=xx,DC=xx

Can somebody please point out the error in the configuration or any configuration steps that i have missed.

[alexismaior]

Hi, I was facing the same problem here with my AD. I applied #982 in my config and it worked! Basically, I gave up using the "userMatchers:" in my dex-config. Defining only "userAttr", "groupAttr" and "searchAttr" and now I could see all my groups.. Don't know the reason... btw. Hope it works for you.

[voki]

@alexismaior Could you please paste full config for userSearch and groupSearch sections? I have tried #982 and a lot of other combinations, but still no luck.

[alexismaior]

Absolutely!

connectors:
- type: ldap
  name: ActiveDirectory
  id: ldap
  config:
    host:  x.x.x.x:389
    insecureNoSSL: true
    insecureSkipVerify: true
    bindDN: CN=aa,OU=bb,DC=ccc,DC=dd
    bindPW: xxxx
    userSearch:
      baseDN: CN=Users,DC=xx,DC=xx
      filter: "(objectClass=person)"
      username: sAMAccountName
      idAttr: DN
      emailAttr: mail
      nameAttr: cn
    groupSearch:
      baseDN: DC=xx,DC=xx
      filter: "(objectClass=group)"
      userAttr: DN
      groupAttr: member
      nameAttr: cn

[voki]

Thanks, it turned out my dex config was ok, it was gangway that was not passing scope groups to dex.

[bgdnlp]

I'm using Dex through ArgoCD. ArgoCD v1.5.3, Dex v2.22.0. userMatchers doesn't work for me either. The configuration posted above by @alexismaior, where userAttr and groupAttr are set by themselves worked.

[david-curran-90]

@voki , could you elaborate on the issue with gangway not passing scope groups? I'm having the same issue, Dex config looks the same as yours but I'm getting empty groups back.

[voki]

@schizoid90 Sure, I had to add "groups" scope in gangway config in the following line: scopes: ["openid", "profile", "email", "groups", "offline_access"]

[david-curran-90]

@voki , thanks I found that about 5 minutes after asking

[manlme]

it works..

[olzemal]

The values you provide for userAttr etc. are case sensitive. I learned that the hard way 😄