example_configs: Add Dex example

Fixes #428.

README.md

@@ -28,20 +28,20 @@
   </a>
 </p>
 
- - [About](#About)
+- [About](#about)
- - [Installation](#Installation)
+- [Installation](#installation)
-   - [With Docker](#With-Docker)
+  - [With Docker](#with-docker)
-   - [From source](#From-source)
+  - [From source](#from-source)
-   - [Cross-compilation](#Cross-compilation)
+  - [Cross-compilation](#cross-compilation)
- - [Client configuration](#Client-configuration)
+- [Client configuration](#client-configuration)
-   - [Compatible services](#compatible-services)
+  - [Compatible services](#compatible-services)
-   - [General configuration guide](#general-configuration-guide)
+  - [General configuration guide](#general-configuration-guide)
-   - [Sample client configurations](#Sample-client-configurations)
+  - [Sample client configurations](#sample-client-configurations)
- - [Comparisons with other services](#Comparisons-with-other-services)
+- [Comparisons with other services](#comparisons-with-other-services)
-   - [vs OpenLDAP](#vs-openldap)
+  - [vs OpenLDAP](#vs-openldap)
-   - [vs FreeIPA](#vs-freeipa)
+  - [vs FreeIPA](#vs-freeipa)
- - [I can't log in!](#i-cant-log-in)
+- [I can't log in!](#i-cant-log-in)
- - [Contributions](#Contributions)
+- [Contributions](#contributions)
 
 ## About
 
@@ -62,10 +62,11 @@ edit their own details or reset their password by email.
 
 The goal is _not_ to provide a full LDAP server; if you're interested in that,
 check out OpenLDAP. This server is a user management system that is:
-* simple to setup (no messing around with `slapd`),
+
-* simple to manage (friendly web UI),
+- simple to setup (no messing around with `slapd`),
-* low resources,
+- simple to manage (friendly web UI),
-* opinionated with basic defaults so you don't have to understand the
+- low resources,
+- opinionated with basic defaults so you don't have to understand the
   subtleties of LDAP.
 
 It mostly targets self-hosting servers, with open-source components like
@@ -98,14 +99,14 @@ contents are loaded into the respective configuration parameters. Note that
 `_FILE` variables take precedence.
 
 Example for docker compose:
-* You can use either the `:latest` tag image or `:stable` as used in this example.
-* `:latest` tag image contains recently pushed code or feature tests, in which some instability can be expected.
-* If `UID` and `GID` no defined LLDAP will use default `UID` and `GID` number `1000`.
-* If no `TZ` is set, default `UTC` timezone will be used.
 
+- You can use either the `:latest` tag image or `:stable` as used in this example.
+- `:latest` tag image contains recently pushed code or feature tests, in which some instability can be expected.
+- If `UID` and `GID` no defined LLDAP will use default `UID` and `GID` number `1000`.
+- If no `TZ` is set, default `UTC` timezone will be used.
 
 ```yaml
-version: '3'
+version: "3"
 
 volumes:
   lldap_data:
@@ -139,9 +140,9 @@ front-end.
 
 To compile the project, you'll need:
 
-* nodejs 16: [nodesource nodejs installation guide](https://github.com/nodesource/distributions)
+- nodejs 16: [nodesource nodejs installation guide](https://github.com/nodesource/distributions)
-* curl: `sudo apt install curl`
+- curl: `sudo apt install curl`
-* Rust/Cargo: [rustup.rs](https://rustup.rs/)
+- Rust/Cargo: [rustup.rs](https://rustup.rs/)
 
 Then you can compile the server (and the migration tool if you want):
 
@@ -155,8 +156,8 @@ just run `cargo run -- run` to run the server.
 To bring up the server, you'll need to compile the frontend. In addition to
 cargo, you'll need:
 
-* WASM-pack: `cargo install wasm-pack`
+- WASM-pack: `cargo install wasm-pack`
-* rollup.js: `npm install rollup`
+- rollup.js: `npm install rollup`
 
 Then you can build the frontend files with `./app/build.sh` (you'll need to run
 this after every front-end change to update the WASM package served).
@@ -204,14 +205,15 @@ the config).
 ### General configuration guide
 
 To configure the services that will talk to LLDAP, here are the values:
-  - The LDAP user DN is from the configuration. By default,
+
-    `cn=admin,ou=people,dc=example,dc=com`.
+- The LDAP user DN is from the configuration. By default,
-  - The LDAP password is from the configuration (same as to log in to the web
+  `cn=admin,ou=people,dc=example,dc=com`.
-    UI).
+- The LDAP password is from the configuration (same as to log in to the web
-  - The users are all located in `ou=people,` + the base DN, so by default user
+  UI).
-    `bob` is at `cn=bob,ou=people,dc=example,dc=com`.
+- The users are all located in `ou=people,` + the base DN, so by default user
-  - Similarly, the groups are located in `ou=groups`, so the group `family`
+  `bob` is at `cn=bob,ou=people,dc=example,dc=com`.
-    will be at `cn=family,ou=groups,dc=example,dc=com`.
+- Similarly, the groups are located in `ou=groups`, so the group `family`
+  will be at `cn=family,ou=groups,dc=example,dc=com`.
 
 Testing group membership through `memberOf` is supported, so you can have a
 filter like: `(memberOf=cn=admins,ou=groups,dc=example,dc=com)`.
@@ -226,33 +228,35 @@ administration access to many services.
 Some specific clients have been tested to work and come with sample
 configuration files, or guides. See the [`example_configs`](example_configs)
 folder for help with:
-  - [Airsonic Advanced](example_configs/airsonic-advanced.md)
+
-  - [Apache Guacamole](example_configs/apacheguacamole.md)
+- [Airsonic Advanced](example_configs/airsonic-advanced.md)
-  - [Authelia](example_configs/authelia_config.yml)
+- [Apache Guacamole](example_configs/apacheguacamole.md)
-  - [Bookstack](example_configs/bookstack.env.example)
+- [Authelia](example_configs/authelia_config.yml)
-  - [Calibre-Web](example_configs/calibre_web.md)
+- [Bookstack](example_configs/bookstack.env.example)
-  - [Dell iDRAC](example_configs/dell_idrac.md)
+- [Calibre-Web](example_configs/calibre_web.md)
-  - [Dokuwiki](example_configs/dokuwiki.md)
+- [Dell iDRAC](example_configs/dell_idrac.md)
-  - [Dolibarr](example_configs/dolibarr.md)
+- [Dex](example_configs/dex_config.yml)
-  - [Emby](example_configs/emby.md)
+- [Dokuwiki](example_configs/dokuwiki.md)
-  - [Gitea](example_configs/gitea.md)
+- [Dolibarr](example_configs/dolibarr.md)
-  - [Grafana](example_configs/grafana_ldap_config.toml)
+- [Emby](example_configs/emby.md)
-  - [Hedgedoc](example_configs/hedgedoc.md)
+- [Gitea](example_configs/gitea.md)
-  - [Jellyfin](example_configs/jellyfin.md)
+- [Grafana](example_configs/grafana_ldap_config.toml)
-  - [Jitsi Meet](example_configs/jitsi_meet.conf)
+- [Hedgedoc](example_configs/hedgedoc.md)
-  - [KeyCloak](example_configs/keycloak.md)
+- [Jellyfin](example_configs/jellyfin.md)
-  - [Matrix](example_configs/matrix_synapse.yml)
+- [Jitsi Meet](example_configs/jitsi_meet.conf)
-  - [Nextcloud](example_configs/nextcloud.md)
+- [KeyCloak](example_configs/keycloak.md)
-  - [Organizr](example_configs/Organizr.md)
+- [Matrix](example_configs/matrix_synapse.yml)
-  - [Portainer](example_configs/portainer.md)
+- [Nextcloud](example_configs/nextcloud.md)
-  - [Seafile](example_configs/seafile.md)
+- [Organizr](example_configs/Organizr.md)
-  - [Syncthing](example_configs/syncthing.md)
+- [Portainer](example_configs/portainer.md)
-  - [Vaultwarden](example_configs/vaultwarden.md)
+- [Seafile](example_configs/seafile.md)
-  - [WeKan](example_configs/wekan.md)
+- [Syncthing](example_configs/syncthing.md)
-  - [WG Portal](example_configs/wg_portal.env.example)
+- [Vaultwarden](example_configs/vaultwarden.md)
-  - [WikiJS](example_configs/wikijs.md)
+- [WeKan](example_configs/wekan.md)
-  - [XBackBone](example_configs/xbackbone_config.php)
+- [WG Portal](example_configs/wg_portal.env.example)
-  - [Zendto](example_configs/zendto.md)
+- [WikiJS](example_configs/wikijs.md)
+- [XBackBone](example_configs/xbackbone_config.php)
+- [Zendto](example_configs/zendto.md)
 
 ## Comparisons with other services
 
@@ -291,20 +295,20 @@ use. It also comes conveniently packed in a docker container.
 If you just set up the server, can get to the login page but the password you
 set isn't working, try the following:
 
-  - (For docker): Make sure that the `/data` folder is persistent, either to a
+- (For docker): Make sure that the `/data` folder is persistent, either to a
-   docker volume or mounted from the host filesystem.
+  docker volume or mounted from the host filesystem.
-  - Check if there is a `lldap_config.toml` file (either in `/data` for docker
+- Check if there is a `lldap_config.toml` file (either in `/data` for docker
-    or in the current directory). If there isn't, copy
+  or in the current directory). If there isn't, copy
-    `lldap_config.docker_template.toml` there, and fill in the various values
+  `lldap_config.docker_template.toml` there, and fill in the various values
-    (passwords, secrets, ...).
+  (passwords, secrets, ...).
-  - Check if there is a `users.db` file (either in `/data` for docker or where
+- Check if there is a `users.db` file (either in `/data` for docker or where
-    you specified the DB URL, which defaults to the current directory). If
+  you specified the DB URL, which defaults to the current directory). If
-    there isn't, check that the user running the command (user with ID 10001
+  there isn't, check that the user running the command (user with ID 10001
-    for docker) has the rights to write to the `/data` folder. If in doubt, you
+  for docker) has the rights to write to the `/data` folder. If in doubt, you
-    can `chmod 777 /data` (or whatever the folder) to make it world-writeable.
+  can `chmod 777 /data` (or whatever the folder) to make it world-writeable.
-  - Make sure you restart the server.
+- Make sure you restart the server.
-  - If it's still not working, join the
+- If it's still not working, join the
-    [Discord server](https://discord.gg/h5PEdRMNyP) to ask for help.
+  [Discord server](https://discord.gg/h5PEdRMNyP) to ask for help.
 
 ## Contributions
 

example_configs/dex_config.yml

@@ -0,0 +1,32 @@
+# lldap configuration:
+# LLDAP_LDAP_BASE_DN:    dc=example,dc=com
+
+# ##############################
+# rest of the Dex options
+# ##############################
+
+connectors:
+  - type: ldap
+    id: ldap
+    name: LDAP
+    config:
+      host: lldap-host # make sure it does not start with `ldap://`
+      port: 3890 # or 6360 if you have ldaps enabled
+      insecureNoSSL: true # or false if you have ldaps enabled
+      insecureSkipVerify: true # or false if you have ldaps enabled
+      bindDN: uid=admin,ou=people,dc=example,dc=com # replace admin with your admin user
+      bindPW: very-secure-password # replace with your admin password
+      userSearch:
+        baseDN: ou=people,dc=example,dc=com
+        username: uid
+        idAttr: uid
+        emailAttr: mail
+        nameAttr: displayName
+        preferredUsernameAttr: uid
+      groupSearch:
+        baseDN: ou=groups,dc=example,dc=com
+        filter: "(objectClass=groupOfUniqueNames)"
+        userMatchers:
+          - userAttr: uid
+            groupAttr: member
+        nameAttr: displayName