Mandate Group Search Condition in Dex LDAP Coonector

Question

I am using Dex as our Identity provider and connecting it to LDAP. Below is my ldap config in Dex:

connectors:
- type: ldap
 id: ldap
 name: LDAP
 config:
   host: myhost.staging.com:636
   insecureNoSSL: false
   insecureSkipVerify: false
   bindDN: cn=prometheus-proxy,ou=serviceaccounts,dc=staging,dc=comp,dc=com
   bindPW: 'prometheus'
   rootCA: /etc/dex/ldap/ca-bundle.pem
   userSearch:
     baseDN: ou=people,dc=staging,dc=comp,dc=com
     filter: "(objectClass=person)"
     username: uid
     idAttr: uid
     emailAttr: mail
     nameAttr: uid
   groupSearch:
     baseDN: ou=appgroups,dc=staging,dc=comp,dc=com
     filter: "(objectClass=groupOfMembers)"
     userAttr: DN
     groupAttr: member
     nameAttr: cn

And below is a sample userSearch & groupSearch Result:

dn: uid=swedas01,ou=people,dc=staging,dc=comp,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
cn: Sweta Das
gecos: Sweta Das
gidNumber: 50000
givenName: Sweta
mail: Sweta.Das@comp.com
sn: Das
uid: swedas01
memberOf: cn=jenkins,ou=appgroups,dc=staging,dc=comp,dc=com
homeDirectory: /home/swedas01

dn: cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com
objectClass: top
objectClass: groupOfMembers
cn: prometheus
member: uid=testl01,ou=people,dc=staging,dc=comp,dc=com

When I login to my Prometheus instance which uses the above config, even though my userID is not part of the Group that is being used ie Prometheus, I am still able to login.

Dex logs shows there is no groups associated with my id.

time="2019-10-07T19:05:48Z" level=info msg="performing ldap search ou=people,dc=staging,dc=comp,dc=com sub (&(objectClass=person)(uid=swedas01))"
time="2019-10-07T19:05:48Z" level=info msg="username \"swedas01\" mapped to entry uid=swedas01,ou=people,dc=staging,dc=comp,dc=com"
time="2019-10-07T19:05:48Z" level=info msg="performing ldap search cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com sub (&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))"
time="2019-10-07T19:05:48Z" level=error msg="ldap: groups search with filter \"(&(objectClass=groupOfMembers)(member=uid=swedas01,ou=people,dc=staging,dc=comp,dc=com))\" returned no groups"
time="2019-10-07T19:05:48Z" level=info msg="login successful: connector \"ldap\", username=\"swedas01\", email=\"Sweta.Das@comp.com\", groups=[]"

But why is it still allowing me to login? Is there any way I can mandate this setting if group serach returns empty, login should fail?

Answer 1

Since your directory supports memberOf attribute, you can try adding a membership condition in the userSearch filter.

Now look :

username: uid
filter: "(objectClass=person)"

yields the following ldap filter :

"(&(objectClass=person)(uid=<uid>))"

So it might be possible to add the membership condition without operator in the filter setting, as dex is actually adding the operator itself (tested and confirmed by @MohammadYusefpur).

Like :

filter: "(objectClass=person)(memberOf=cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com)"

so that the actual ldap filter results in

(&(objectClass=person)(memberOf=cn=prometheus,ou=appgroups,dc=staging,dc=comp,dc=com)(uid=<uid>))

Answer 2

I am still not sure if this is the right answer. But as far as I could understood, Dex's group search is just for ldap search. It returns the groups a user is memberof. Once you get the groups back, you can put RBAC policies on those group to control what kind of access you want to give to the user.

However, for tools which do not have any auth methods of its ownn(eg Prometheus), I am still not sure how to implement ldap group auth!