Connection timed out when accessing a Tanzu Kubernetes Grid (TKG) workload cluster with LDAP credentials
search cancel

Connection timed out when accessing a Tanzu Kubernetes Grid (TKG) workload cluster with LDAP credentials

book

Article ID: 297305

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid

Issue/Introduction

To access the OIDC endpoint address, go to https://<IP_WORKLOAD_MASTER>:30166 in your browser.

You are trying to "Sign In" using your LDAP user credentials and browser window is now stuck in a loop and eventually shows a connection timed out error.

Running the following kubectl command using TKG's management cluster as the current-context shows you the following error:

  • Commands:

    • kubectl config use-context <management-cluster-name>@<management-cluster-user>
    • kubectl -n tanzu-system-auth logs dex-<ID>

  • Error:
{"level":"error","msg":"Failed to login user: failed to connect: LDAP Result Code 200 \"Network Error\": dial tcp ###.###.###.###:636: connect: connection timed out","time":"2020-04-14T05:57:59Z"}

 

​​​Gangway exposes a Web-based endpoint on workload clusters, to which end users can connect with their IDP credentials, in order to access the application that runs in the cluster. When you login using your IDP (in this case LDAP) user credentials, Gangway reach out to OIDC provider (in this case it is Dex) and delegates rest of authentication flow to Dex. Dex reach out to LDAP Server for authenticating the user credentials provided. 

This issue happens when Dex is not able to talk to your LDAP server on port 636. 

 



Environment

Product Version: 1.0
OS: PhotonOS

Resolution

Note: Make sure LDAP server is reachable on the network and accepting connections on port 636.

One good practice to troubleshoot and resolve these kind of errors is to setup or use a jumpbox VM which is on the same network as your other TKG management and workload clusters and use that VM to do following tests:

  • Execute a basic host and port connection test with the following command:

    nc -vz <IP-LDAP-SERVER> 636
  • If the connection succeeds, you can follow this KB 297557 (specifically Test LDAP search filters section) to install ldap-utils on your jumpbox VM and use ldapsearch utility to perform user or group search on your LDAP server and check if that yields out the results as per your requirements. Based on this, revisit your LDAP configuration parameters (tkg-extensions-v1.0.0/authentication/dex/vsphere/ldap/03-cm.yaml) to check if they match with parameters used when running successful queries against the LDAP server using ldaputils