On this page
Day 4 - Dex local LDAP login against OpenCloud IDM
Dex LDAP connector to OpenCloud's integrated IDM, LDAPS TLS certificate fix, and GitHub issue #1 closed with automated tests in PASS.
Introduction
Day 4 (window of the last four hours of 27 May 2026, ~11:40–15:40 CEST on the production Debian VPS) focuses on a single authentication goal: local login must accept any user from OpenCloud's integrated IDM (same uid and password as in Settings) while still issuing Dex OIDC tokens for the proxy.
Dex's static password store is replaced with an LDAP connector to the IDM's LDAPS, the internal LDAP service TLS certificate is fixed, and the autoagents loop closes GitHub issue #1 with automated tests in PASS.
Summary
Day outcome
- Dex ↔ IDM:
ldapconnector →ldaps://opencloud:9235, baseou=users,o=libregraph-idm; Dex on Docker networkopencloud_opencloud-netwith config/data volumes for CAidm/ldap.crt. - OpenCloud:
IDM_LDAPS_ADDR=0.0.0.0:9235in external-proxy overlay;login.htmlusesconnector_id=ldap; nginx and auth JSON aligned withcloud.km0digital.com. - IDM TLS: certificate regenerated with SAN
DNS:opencloud(previouslylocalhostonly); scriptregenerate-opencloud-idm-ldap-cert.sh. - Autoagents: task closed PASS; package version 1.0.18; manual login with two distinct users pending operator verification.
Problem
GitHub #1
The hybrid flow already routed Google/Apple and local login through Dex, but the local connector relied on Dex's static password store: it only worked for predefined credentials, not for all inetOrgPerson users created in OpenCloud's IDM.
The requirement was to unify credentials with OpenCloud Settings and keep the OIDC issuer (OC_OIDC_ISSUER) consumed by the proxy.
Solution
Dex LDAP + IDM integration
- Dex:
type: ldapconnector index/config.yaml; local password DB removed. - Dex compose: joined to
opencloud_opencloud-net; mountsopencloud-configandopencloud-datavolumes to read CA and mounted configidm_password. - OpenCloud overlay:
IDM_LDAPS_ADDR=0.0.0.0:9235so Dex reaches LDAPS via hostnameopencloud. - UI:
login.htmlwith “local” button andconnector_id=ldap; nginx/dex/authwithout connector → login selector.
Flow
Login after the changes
login.html
├── Google → Dex connector google → OIDC token → OpenCloud proxy
├── Apple → Dex connector apple → (when configured)
└── Local → Dex connector ldap → IDM LDAPS opencloud:9235
(any inetOrgPerson uid + password)Social connectors follow the same OIDC pattern; local login is no longer a fixed list in Dex but an LDAP bind against the stack's embedded directory.
Collabora
Co-editing after unified login
The Collabora integration documented on day 3 enables in-browser Office editing for all authenticated users. With day 4's Dex LDAP connector, any IDM user (same uid and password as Settings) can sign in and open shared spreadsheets or presentations; several people can edit the same XLSX or PPT file at once.
TLS
IDM LDAPS certificate fix
During testing, Dex reached opencloud:9235 but the auto-generated ldap.crt only included localhost in the SAN → error TLS certificate is valid for localhost, not opencloud.
Fix (0a042db): script scripts/regenerate-opencloud-idm-ldap-cert.sh regenerates the certificate with DNS:localhost,DNS:opencloud,IP:127.0.0.1 and --restart option; documented in runbook and Dex README.
Commits
Day window (CEST)
cf5a561(15:27) -feat(auth): Dex LDAP login against OpenCloud IDM for all users.0a042db(15:39) -fix(dex): regenerate IDM LDAP cert with opencloud SAN for Dex TLS.
Autoagents
Closing checks
- IDM cert SAN includes
opencloud- PASS. - Dex LDAP
host: opencloud:9235- PASS. curlwithconnector_id=ldap→/dex/auth/ldap- PASS.- Wrong password → HTTP 401, LDAP bind, no x509 in logs - PASS.
- Google connector smoke - PASS.
- Manual login two distinct users →
/files- NOT VERIFIED (operator).
Deployment
Verification (operator)
cd /opt/opencloud ./scripts/git-sync-main.sh ./scripts/apply-opencloud-compose-overrides.sh ./scripts/regenerate-opencloud-idm-ldap-cert.sh --restart rsync -a /opt/opencloud/host-www/opencloud-auth/ /var/www/opencloud-auth/ cd dex && docker compose up -d
Manual: private window → login.html → local login with two distinct OpenCloud uids; expect /oidc-callback.html then /files without JWKS errors or /graph/v1.0/me 500.
Next step
Day 5
Day 5 does not document deployments: it captures a vision meeting in Masnou on why we believe useful technology can already be offered without going through big digital corporations. In the meantime, explore the services or the day 5 story.