LDAP Groups query never run when "groups" in scope

[onetwopunch]

I'm trying to PoC Dex against out LDAP backend and using the example app provided.

I add groups in the field and it is correctly added to the auth Code URL as a scope.

I have logging set to debug so I can see when the LDAP queries are made. I can see what queries are made to LDAP. The one for users is hit, but not for groups: https://github.com/dexidp/dex/blob/master/connector/ldap/ldap.go#L599

No groups are added to the JWT after a successful LDAP login.

Here is my config yaml in a config map.

kind: ConfigMap
apiVersion: v1
metadata:
  name: dex
  namespace: dex
data:
  config.yaml: |
    issuer: http://10.168.88.9:443
    storage:
      type: kubernetes
      config:
        inCluster: true
    logger:
      level: debug
    web:
      http: 0.0.0.0:5556
      #tlsCert: /etc/dex/tls/tls.crt
      #tlsKey: /etc/dex/tls/tls.key
    connectors:
    - type: ldap
      id: ldap
      name: LDAP
      config:
        host: ldap:389
        insecureNoSSL: true
        bindDN: uid=username,cn=users,cn=accounts,dc=ipa,dc=org
        bindPW: password

        usernamePrompt: LDAP Username

        userSearch:
          baseDN: cn=users,cn=accounts,dc=ipa,dc=org
          filter: "(objectClass=person)"
          username: uid
          # "DN" (case sensitive) is a special attribute name. It indicates that
          # this value should be taken from the entity's DN not an attribute on
          # the entity.
          idAttr: DN
          emailAttr: mail
          nameAttr: uid
          preferredUsername: cn

        groupSearch:
          baseDN: cn=groups,cn=accounts,dc=ipa,dc=org
          #filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))"

          userMatchers:
            # A user is a member of a group when their DN matches
            # the value of a "member" attribute on the group entity.
          - userAttr: DN
            groupAttr: member

          # The group name should be the "cn" value.
          nameAttr: cn
    oauth2:
      skipApprovalScreen: true
    staticClients:
    - id: example-app
      redirectURIs:
      - 'http://127.0.0.1:5555/callback'
      name: 'Example App'
      secret: ZXhhbXBsZS1hcHAtc2VjcmV0
    enablePasswordDB: true
    staticPasswords:
    - email: "admin@example.com"
      # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
      username: "admin"
      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

Any idea what I could be doing wrong?

[onetwopunch]

@nabokihms any insight into this? I've verified that the groups scope is there the whole time, but while the LDAP user query is being executed, the group query is not. It's not erroring at all, the groups are just empty as if I hadn't passed in the scope.

[onetwopunch]

Ok well I guess this was a recent bug fix. It didn't work in v2.30 and it does in v2.35 🤷