LDAP connector broken after upgrade to 2.41.0

[networkhell]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Version

2.41.0

Storage Type

Kubernetes

Installation Type

Official container image, Other (specify below)

Expected Behavior

Dex works as expected after upgrade of official docker image

Actual Behavior

When upgrading to image dexidp/dex:v2.41.0-distroless the ldap connector seems broken. An error message is displayed regarding dex is not able to contact the configured ldap server.

Steps To Reproduce

1. We run dex as kubernetes deployment (k8s v1.29.5)
2. only connector is an ldap server
3. see dex config and logs for details

Additional Information

According to the logs it looks like there is a problem with extracting the ldap hostname from the dex config. I already tried to:

• remove the port number from the host config
• use an ip address instead of a hostname
• set an host entry within the container to avoid dns / ipv4/6 issues
  but the error remains always the same.

A rollback to the previous version 2.40.0 immediately solves the problem.

Configuration

issuer: https://k8s-node01:30556
storage:
    type: kubernetes
    config:
        inCluster: true
expiry:
    idTokens: 8h
web:
    https: 0.0.0.0:5556
    tlsCert: /tls/wildcard.xxx.crt
    tlsKey: /tls/wildcard.xxx.key
connectors:
    - type: ldap
      id: ldap
      name: freeipa
      config:
        host: auth.xxx.yyy.zz:636
        insecureSkipVerify: true
        bindDN: uid=<redacted>
        bindPW: <redacted>
        usernamePrompt: Username
        userSearch:
            baseDN: <redacted>
            filter: (<redacted>)
            username: uid
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
        groupSearch:
            baseDN: <redacted>
            filter: (&(objectClass=posixGroup)(|(cn=<redacted>)(cn=<redacted>-*)))
            userMatchers:
            - userAttr: uid
              groupAttr: memberUID
            nameAttr: cn
oauth2:
    skipApprovalScreen: true
logger:
    level: debug
    format: json
staticClients:
    - id: <redacted>-oauth-service
      redirectURIs:
        - https://k8s-node01:30443/callback
        - http://localhost:8000
        - http://localhost:18000
      name: <redacted> Python OAuth2 Client
      secret: <redacted>

Logs

{"time":"2024-08-06T12:43:34.355591004Z","level":"ERROR","msg":"failed to login user","err":"failed to connect: LDAP Result Code 200 \"Network Error\": dial tcp :636: connect: connection refused","request_id":"8c1fe139-b69d-40fd-9e31-6900925dac21"}
{"time":"2024-08-06T12:43:47.876073038Z","level":"ERROR","msg":"failed to login user","err":"failed to connect: LDAP Result Code 200 \"Network Error\": dial tcp :636: connect: connection refused","request_id":"b1c14a4c-a231-4536-a16c-082312e216b0"}

[MoeBensu]

Possible duplicate of #3671.

I think it was said this will be included in 2.41.1 or you could temporarily switch to latest (master) where the fix is already available.

[networkhell]

@MoeBensu I guess you are right. I didn't look into this because it was already closed. This is a duplicate of #3671