*: add standup script for LDAP

2017-08-22 10:36:16 -07:00
parent c45185f601
commit 50f2905cac
6 changed files with 231 additions and 2 deletions
--- a/Documentation/ldap-connector.md
+++ b/Documentation/ldap-connector.md
@@ -9,6 +9,30 @@ The connector executes two primary queries:
 1. Finding the user based on the end user's credentials.
 2. Searching for groups using the user entry.

+## Getting started
+
+The dex repo contains a basic LDAP setup using [OpenLDAP][openldap].
+
+First start the LDAP server using the example script. This will run the OpenLDAP daemon and seed it with a initial set of users.
+
+```
+./scripts/slapd.sh
+```
+
+This script sets the LDAP daemon to debug mode, and is expected to print several error messages which are normal. Once the server is up, run dex.
+
+```
+./bin/dex serve examples/config-ldap.yaml
+```
+
+Then run the OAuth client in another terminal.
+
+```
+./bin/example-app
+```
+
+Go to [http://localhost:5555](http://localhost:5555), login and enter the username and password of the LDAP user: `janedoe@example.com`/`foo`. Add the "groups" scope as part of the initial redirect to add group information from the LDAP server.
+
 ## Security considerations

 Dex attempts to bind with the backing LDAP server using the end user's _plain text password_. Though some LDAP implementations allow passing hashed passwords, dex doesn't support hashing and instead _strongly recommends that all administrators just use TLS_. This can often be achieved by using port 636 instead of 389, and administrators that choose 389 are actively leaking passwords.
@@ -252,3 +276,5 @@ connectors:
 ```

 If the search finds an entry, it will attempt to use the provided password to bind as that user entry.
+
+[openldap]: https://www.openldap.org/