--- apiVersion: v1 kind: ConfigMap metadata: name: dex data: config.yaml: | issuer: $(issuer) storage: type: kubernetes config: inCluster: true web: https: 0.0.0.0:5556 tlsCert: /etc/dex/tls/tls.crt tlsKey: /etc/dex/tls/tls.key # For HTTP configuration remove tls configs and add #http: 0.0.0.0:5556 logger: level: "debug" format: text connectors: - type: ldap # Required field for connector id. id: ldap # Required field for connector name. name: LDAP config: # Host and optional port of the LDAP server in the form "host:port". # If the port is not supplied, it will be guessed based on "insecureNoSSL", # and "startTLS" flags. 389 for insecure or StartTLS connections, 636 # otherwise. host: $(ldap_host) # Following field is required if the LDAP host is not using TLS (port 389). # Because this option inherently leaks passwords to anyone on the same network # as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE. # insecureNoSSL: true # If a custom certificate isn't provide, this option can be used to turn on # TLS certificate checks. As noted, it is insecure and shouldn't be used outside # of explorative phases. # insecureSkipVerify: true # When connecting to the server, connect using the ldap:// protocol then issue # a StartTLS command. If unspecified, connections will use the ldaps:// protocol # # startTLS: true # Path to a trusted root certificate file. Default: use the host's root CA. #rootCA: /etc/dex/ldap.ca # A raw certificate file can also be provided inline. #rootCAData: # The DN and password for an application service account. The connector uses # these credentials to search for users and groups. Not required if the LDAP # server provides access for anonymous auth. # Please note that if the bind password contains a '$', it has to be saved in an # environment variable which should be given as the value to 'bindPW'. bindDN: $(ldap_bind_dn) bindPW: $(ldap_bind_pw) # User search maps a username and password entered by a user to a LDAP entry. userSearch: # BaseDN to start the search from. It will translate to the query # "(&(objectClass=person)(uid=))". baseDN: $(ldap_user_base_dn) # Optional filter to apply when searching the directory. filter: "(objectClass=posixAccount)" # username attribute used for comparing user entries. This will be translated # and combine with the other filter as "(=)". username: mail # The following three fields are direct mappings of attributes on the user entry. # String representation of the user. idAttr: uid # Required. Attribute to map to Email. emailAttr: mail # Maps to display name of users. No default value. nameAttr: uid # Group search queries for groups given a user entry. groupSearch: # BaseDN to start the search from. It will translate to the query # "(&(objectClass=group)(member=))". baseDN: $(ldap_group_base_dn) # Optional filter to apply when searching the directory. filter: "(objectClass=posixGroup)" # Following two fields are used to match a user to a group. It adds an additional # requirement to the filter that an attribute in the group must match the user's # attribute value. userAttr: gidNumber groupAttr: gidNumber # Represents group name. nameAttr: cn oauth2: skipApprovalScreen: true staticClients: - id: $(client_id) redirectURIs: $(oidc_redirect_uris) name: 'Dex Login Application' secret: $(application_secret)