Skip to content

This guide will describe the necessary configuration and setup for Venari DevOps Edition to authenticate with the DEX connector.

Prerequisites

  • A deployed and licensed Venari DevOps 3.0+ master node

  • Dex Connector properly configured for the target authentication service. This document provides a sample for Microsoft Active Directory configuration for use with Venari DevOps.

Dex Active Directory Connector Configuration

Venari DevOps must be configured in split-brain Idp mode when configured to use Dex Idp. End users will authenticate via Dex, using the LDAP connector. Job nodes will continue to authenticate with the master node using the Venari Auth Server.

Split-brain Idp Parameters

--identity:adminEmail: {AD-email-address}
--identity:authority: {authserver-url}
--identity:publicAuthority: {Dex-Url}
--identity:scope: openid profile offline_access email

where:

Value Description
AD-email-address The LDAP user's email address (i.e. user@yourcorp.com)
authserver-url The Venari Auth server url jobnodes use to authenticate against. (i.e. https://venari-auth-server:9002)
Dex-Url The url of the Dex server. This must match what is configured in the Dex configuration file (shown later).

Dex Configuration file

The following Dex configuration illustrates configuring Dex to authenticate via Active Directory.

You will need to provide your specific values where commented. Please consult the official Dex documentation for details.

#Your DEX server (TLS) endpoint
issuer: https://dex.example.com 
storage:
  type: sqlite3
  config:
    file: /var/dex/dex.db
web:
  http: 0.0.0.0:5556
  allowedOrigins : ['*']
connectors:
- type: ldap
  name: ActiveDirectory
  id: ad
  config:
    #Your active directory, with TLS enabled
    host: ad.example.com:636 
    insecureNoSSL: false
    insecureSkipVerify: false
    startTLS: false

    #The AD user the connector should authenticate as. Modify domain name (dc) as appropriate.
    bindDN: cn=dexuser,cn=users,dc=example,dc=com 
    #The AD user's password
    bindPW: CHANGE_PASSWORD
    usernamePrompt: Corporate Email Address
    userSearch:
      baseDN: cn=Users,dc=example,dc=com
      filter: "(objectClass=person)"
      username: userPrincipalName
      idAttr: DN
      emailAttr: userPrincipalName
      nameAttr: cn
    groupSearch:
      # Modify domain name as appropriate.
      baseDN: cn=Users,dc=example,dc=com
      filter: "(objectClass=group)"
      userMatchers:
      - userAttr: DN
        groupAttr: member
      nameAttr: cn
staticClients:
    #This is the Venari Application Id, do not change.
  - id: ed025f34-8299-4b69-b2f8-35d9723b6ce2
    name: "Assert Security AD Proxy"
    public: true
    redirectURIs:
      #Redirect URL for the venari Desktop App. Do not modify.
      - "venari://idpCallback"
      #Redirect for the Venari web management console (master node public FQDN). Change as appropriate.
      - "https://masternode.example.com"