Certificate Authentication LDAP

[kayanbuild]

Hi team,
First thanks for the great Dex, I'm working with it now for over 3 months and I love it.

I was testing it with OpenLDAP and works great.

I have a project where LDAP is provided by Google Workspace (Secure LDAP)

The authentication mechanism works using certificates, and the user credentials are not sufficient to bind successfully.
As explained in the documentation here in the question: Why do I need both a certificate and access credentials to authenticate LDAP clients?

The way to configure it and obtain the credentials and certificates is documented here

For example this ldapsearch works great with certificates:

LDAPTLS_CERT=google.crt LDAPTLS_KEY=google.key ldapsearch -H ldaps://ldap.google.com:636 -b dc=example,dc=com '(uid=carl)'
In DexIDP documentation (LDAP connector) I didn't find certificates authentication example, there is a rootCA section for root certificate which I believe is not related to my question.

I found in the source code two options: ClientCertificateData and ClientKeyData but wasn't able to reason about them, for example the comment:
// NOTE(ericchiang): Our yaml parser doesn't assume []byte is a base64 encoded string.
does it mean we can provide the cer and key files as base64 encoded value in the config? does it work only for gRPC not meant for LDAP?

My Question is: is this scenario supported in DexIDP?
Was anyone able to run Dex with Google Secure LDAP given the certificate authentication?

Many thanks

[kayanbuild]

I was able to find it by digging deep in the LDAP Connector code, good news is this is working with:

clientKey: "/home/user/certs/google.key" clientCert: "/home/user/certs/google.crt"
Passing the certificates directly in the config as data base64 is not supported.