On this page
4 min read

Day 4 - Dex local LDAP login against OpenCloud IDM

Dex LDAP connector to OpenCloud's integrated IDM, LDAPS TLS certificate fix, and GitHub issue #1 closed with automated tests in PASS.

Introduction

Day 4 (window of the last four hours of 27 May 2026, ~11:40–15:40 CEST on the production Debian VPS) focuses on a single authentication goal: local login must accept any user from OpenCloud's integrated IDM (same uid and password as in Settings) while still issuing Dex OIDC tokens for the proxy.

Dex's static password store is replaced with an LDAP connector to the IDM's LDAPS, the internal LDAP service TLS certificate is fixed, and the autoagents loop closes GitHub issue #1 with automated tests in PASS.

Summary

Day outcome

  • Dex ↔ IDM: ldap connector → ldaps://opencloud:9235, base ou=users,o=libregraph-idm; Dex on Docker network opencloud_opencloud-net with config/data volumes for CA idm/ldap.crt.
  • OpenCloud: IDM_LDAPS_ADDR=0.0.0.0:9235 in external-proxy overlay; login.html uses connector_id=ldap; nginx and auth JSON aligned with cloud.km0digital.com.
  • IDM TLS: certificate regenerated with SAN DNS:opencloud (previously localhost only); script regenerate-opencloud-idm-ldap-cert.sh.
  • Autoagents: task closed PASS; package version 1.0.18; manual login with two distinct users pending operator verification.

Problem

GitHub #1

The hybrid flow already routed Google/Apple and local login through Dex, but the local connector relied on Dex's static password store: it only worked for predefined credentials, not for all inetOrgPerson users created in OpenCloud's IDM.

The requirement was to unify credentials with OpenCloud Settings and keep the OIDC issuer (OC_OIDC_ISSUER) consumed by the proxy.

Solution

Dex LDAP + IDM integration

  • Dex: type: ldap connector in dex/config.yaml; local password DB removed.
  • Dex compose: joined to opencloud_opencloud-net; mounts opencloud-config and opencloud-data volumes to read CA and mounted config idm_password.
  • OpenCloud overlay: IDM_LDAPS_ADDR=0.0.0.0:9235 so Dex reaches LDAPS via hostname opencloud.
  • UI: login.html with “local” button and connector_id=ldap; nginx /dex/auth without connector → login selector.

Flow

Login after the changes

login.html
  ├── Google  → Dex connector google  → OIDC token → OpenCloud proxy
  ├── Apple   → Dex connector apple   → (when configured)
  └── Local   → Dex connector ldap    → IDM LDAPS opencloud:9235
                                         (any inetOrgPerson uid + password)

Social connectors follow the same OIDC pattern; local login is no longer a fixed list in Dex but an LDAP bind against the stack's embedded directory.

Collabora

Co-editing after unified login

The Collabora integration documented on day 3 enables in-browser Office editing for all authenticated users. With day 4's Dex LDAP connector, any IDM user (same uid and password as Settings) can sign in and open shared spreadsheets or presentations; several people can edit the same XLSX or PPT file at once.

TLS

IDM LDAPS certificate fix

During testing, Dex reached opencloud:9235 but the auto-generated ldap.crt only included localhost in the SAN → error TLS certificate is valid for localhost, not opencloud.

Fix (0a042db): script scripts/regenerate-opencloud-idm-ldap-cert.sh regenerates the certificate with DNS:localhost,DNS:opencloud,IP:127.0.0.1 and --restart option; documented in runbook and Dex README.

Commits

Day window (CEST)

  • cf5a561 (15:27) - feat(auth): Dex LDAP login against OpenCloud IDM for all users.
  • 0a042db (15:39) - fix(dex): regenerate IDM LDAP cert with opencloud SAN for Dex TLS.

Autoagents

Closing checks

  • IDM cert SAN includes opencloud - PASS.
  • Dex LDAP host: opencloud:9235 - PASS.
  • curl with connector_id=ldap/dex/auth/ldap - PASS.
  • Wrong password → HTTP 401, LDAP bind, no x509 in logs - PASS.
  • Google connector smoke - PASS.
  • Manual login two distinct users → /files - NOT VERIFIED (operator).

Deployment

Verification (operator)

cd /opt/opencloud
./scripts/git-sync-main.sh
./scripts/apply-opencloud-compose-overrides.sh
./scripts/regenerate-opencloud-idm-ldap-cert.sh --restart
rsync -a /opt/opencloud/host-www/opencloud-auth/ /var/www/opencloud-auth/
cd dex && docker compose up -d

curl -sI https://cloud.km0digital.com/login.html

Manual: private window → login.html → local login with two distinct OpenCloud uids; expect /oidc-callback.html then /files without JWKS errors or /graph/v1.0/me 500.

User passwords and IDM bind secrets are not part of this entry; the happy path with two real accounts remains human verification in production.

Next step

Day 5

Day 5 does not document deployments: it captures a vision meeting in Masnou on why we believe useful technology can already be offered without going through big digital corporations. In the meantime, explore the services or the day 5 story.