Closed jbackman closed 5 years ago
Tracking under FMFA-286
Did this work on a previously? If so, was there anything obvious that changed in the environment? Does updating the password through iControl REST work?
We have not been able to set the bind_password via either the bigip_device_auth_ldap module OR bigip_command module. This configures all other auth elements and we are able to update the bind_password using the standard Web UI or directly using tmsh
@jbackman
So the command you normally issue with tmsh you tried with the command module correct? If so this might sound like a REST issue, as a test, is there a chance you can try to set this password by sending JSON with POSTMAN?
Created OK with this JSON on v13.1:
{
"name": "system-auth",
"partition": "Common",
"searchBaseDn": "dc=testdc,dc=test,dc=com",
"bindDn":"CN=testuser,OU=Role Accounts,OU=Enabled Accounts,DC=testdc,DC=test,DC=com",
"bindPw":"Th!|s1sT3st",
"servers": ["testdc.test.com"]
}
RESPONSE:
{
"kind": "tm:auth:ldap:ldapstate",
"name": "system-auth",
"partition": "Common",
"fullPath": "/Common/system-auth",
"generation": 725,
"selfLink": "https://localhost/mgmt/tm/auth/ldap/~Common~system-auth?ver=13.1.1.4",
"bindDn": "CN=testuser,OU=Role Accounts,OU=Enabled Accounts,DC=testdc,DC=test,DC=com",
"bindPw": "$M$1G$pmDr0xfK+wTuTqe9MeXoVg==",
"bindTimeout": 30,
"checkHostAttr": "disabled",
"checkRolesGroup": "disabled",
"debug": "disabled",
"idleTimeout": 3600,
"ignoreAuthInfoUnavail": "no",
"ignoreUnknownUser": "disabled",
"port": 389,
"scope": "sub",
"searchBaseDn": "dc=testdc,dc=test,dc=com",
"searchTimeout": 30,
"servers": [
"testdc.test.com"
],
"ssl": "disabled",
"sslCheckPeer": "disabled",
"version": 3,
"warnings": "enabled"
}
PATCH:
{ "bindPw":"Ch4ng3!me!" }
RESPONSE:
{
"kind": "tm:auth:ldap:ldapstate",
"name": "system-auth",
"partition": "Common",
"fullPath": "/Common/system-auth",
"generation": 726,
"selfLink": "https://localhost/mgmt/tm/auth/ldap/~Common~system-auth?ver=13.1.1.4",
"bindDn": "CN=testuser,OU=Role Accounts,OU=Enabled Accounts,DC=testdc,DC=test,DC=com",
"bindPw": "$M$Zg$zCoW4cnOL/9NHCcIYmuvcQ==", <-- this has changed
"bindTimeout": 30,
"checkHostAttr": "disabled",
"checkRolesGroup": "disabled",
"debug": "disabled",
"idleTimeout": 3600,
"ignoreAuthInfoUnavail": "no",
"ignoreUnknownUser": "disabled",
"port": 389,
"scope": "sub",
"searchBaseDn": "dc=testdc,dc=test,dc=com",
"searchTimeout": 30,
"servers": [
"testdc.test.com"
],
"ssl": "disabled",
"sslCheckPeer": "disabled",
"version": 3,
"warnings": "enabled"
}
@jbackman It works ok with the JSON post and patch, can you try these in your system and let me know if this updates?
Patch does NOT seem to work with my system I do see that the bindPW is changing, but the value is being incorrectly set. I am using special characters in my production password
it looks like there is a bug in the API that doesn't like one of the following characters: !`;@)
If there are characters that are not permitted - should the ansible module report an error vs trying to submit them?
no, for 2 reasons:
If this is a REST issue please open a case with support as this is not Ansible related since directly calling API is also failing.
ISSUE TYPE
COMPONENT NAME
bigip_device_auth_ldap
ANSIBLE VERSION
PYTHON VERSION
BIGIP VERSION
ROLE VERSION
CONFIGURATION
N/A
OS / ENVIRONMENT
Linux ip-1-2-3-4.test.com 2.6.32-754.12.1.el6.x86_64 #1 SMP Thu Mar 7 22:07:44 EST 2019 x86_64 x86_64 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 6.10 (Santiago)
SUMMARY
When using the bigip_device_auth_ldap module, the bind_password does not seem to be set correctly. Pasting the same password into the UI fixes the issue
STEPS TO REPRODUCE
EXPECTED RESULTS
AD configuration bind with specified user can be used for authentication of test user
ACTUAL RESULTS