bigip_device_auth_ldap bind_password not working

jbackman commented 5 years ago

ISSUE TYPE

Bug Report

COMPONENT NAME

bigip_device_auth_ldap

ANSIBLE VERSION

ansible 2.8.0
  config file = None
  configured module search path = ['/home/jbackman1/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /bb/netfun/lib/python3.7/site-packages/ansible
  executable location = /bb/netfun/bin/ansible
  python version = 3.7.3 (default, May 30 2019, 10:53:18) [GCC 4.4.7 20120313 (Red Hat 4.4.7-23)]

PYTHON VERSION

Python 3.7.3

BIGIP VERSION

Sys::Version
Main Package
  Product     BIG-IP
  Version     13.1.1.5
  Build       0.40.4
  Edition     Engineering Hotfix
  Date        Tue May 14 15:13:29 PDT 2019

Hotfix List
ID725792-1    ID715923-1

ROLE VERSION

Role: f5devcentral.f5ansible
        description: Ansible role that allows use of the F5 Ansible Modules
        active: True
        commit: 953b7e5b121584e7e5bfa6337a639435e4eb7707
        commit_message: Merging upstream changes - 2019-06-04T07:00:56Z
        commit_url: https://api.github.com/repos/f5devcentral/ansible-role-f5ans
        company: F5 Networks
        created: 2018-10-04T16:14:10.510085Z
        download_count: 5760
        forks_count: 0
        github_branch: master
        github_repo: ansible-role-f5ansible
        github_user: f5devcentral
        id: 30341
        imported: 2019-06-04T03:04:17.276595-04:00
        is_valid: True
        issue_tracker_url:
        license: GPLv3
        min_ansible_version: 2.8
        modified: 2019-06-04T07:04:17.283820Z
        open_issues_count: 0
        path: ('/home/user/.ansible/roles', '/usr/share/ansible/roles', '/e
        role_type: ANS
        stargazers_count: 4
        travis_status_url: https://travis-ci.org/f5devcentral/ansible-role-f5ans

CONFIGURATION

N/A

OS / ENVIRONMENT

Linux ip-1-2-3-4.test.com 2.6.32-754.12.1.el6.x86_64 #1 SMP Thu Mar 7 22:07:44 EST 2019 x86_64 x86_64 x86_64 GNU/Linux

Red Hat Enterprise Linux Server release 6.10 (Santiago)

SUMMARY

When using the bigip_device_auth_ldap module, the bind_password does not seem to be set correctly. Pasting the same password into the UI fixes the issue

STEPS TO REPRODUCE

- name: Configure LDAP authentication
  bigip_device_auth_ldap:
    bind_dn: "{{ ldap_user }}"
    bind_password: "{{ ldap_password }}"
    check_member_attr: yes
    fallback_to_local: yes
    remote_directory_tree: "{{ldap_remote_dir_tree}}"
    scope: sub
    servers: "{{item.name}}"
    ssl: "{{item.ssl}}"
    port: "{{item.port}}"
    state: present
    provider: "{{f5_provider }}"
  delegate_to: localhost
  loop: "{{ ldap_servers }}"
  when:
    - ldap_password is defined
    - ldap_password != "None"

- name: Enable LDAP authentication
  bigip_command:
    commands: "modify auth source type active-directory fallback true"
    provider: "{{f5_provider }}"
    warn: no
  delegate_to: localhost
  when:
    - ldap_password is defined
    - ldap_password != "None"

where the variables are set:

F5_password: 'admin'
F5_user: 'admin'
f5_provider:
  password: "{{ F5_password }}"
  user: "{{ F5_user }}"
  validate_certs: false
  server: "{{ ansible_host }}"
  transport: rest
ldap_password: 'Th!|s1sT3st'
ldap_user: "CN=testuser,OU=Role Accounts,OU=Enabled Accounts,DC=testdc,DC=test,DC=com"
ldap_remote_dir_tree: "dc=testdc,dc=test,dc=com"
ldap_servers:
  - name: 'testdc.test.com'
    ssl: 'yes'
    port: 636

EXPECTED RESULTS

AD configuration bind with specified user can be used for authentication of test user

ACTUAL RESULTS

The module completes successfully

AD bind fails. Updating the password manually from the UI works

focrensh commented 5 years ago

Tracking under FMFA-286

focrensh commented 5 years ago

Did this work on a previously? If so, was there anything obvious that changed in the environment? Does updating the password through iControl REST work?

jbackman commented 5 years ago

We have not been able to set the bind_password via either the bigip_device_auth_ldap module OR bigip_command module. This configures all other auth elements and we are able to update the bind_password using the standard Web UI or directly using tmsh

wojtek0806 commented 5 years ago

@jbackman

So the command you normally issue with tmsh you tried with the command module correct? If so this might sound like a REST issue, as a test, is there a chance you can try to set this password by sending JSON with POSTMAN?

wojtek0806 commented 5 years ago

Created OK with this JSON on v13.1:

{
    "name": "system-auth",
    "partition": "Common",
    "searchBaseDn": "dc=testdc,dc=test,dc=com",
    "bindDn":"CN=testuser,OU=Role Accounts,OU=Enabled Accounts,DC=testdc,DC=test,DC=com",
    "bindPw":"Th!|s1sT3st",
    "servers": ["testdc.test.com"]
}

RESPONSE:

{
  "kind": "tm:auth:ldap:ldapstate",
  "name": "system-auth",
  "partition": "Common",
  "fullPath": "/Common/system-auth",
  "generation": 725,
  "selfLink": "https://localhost/mgmt/tm/auth/ldap/~Common~system-auth?ver=13.1.1.4",
  "bindDn": "CN=testuser,OU=Role Accounts,OU=Enabled Accounts,DC=testdc,DC=test,DC=com",
  "bindPw": "$M$1G$pmDr0xfK+wTuTqe9MeXoVg==",
  "bindTimeout": 30,
  "checkHostAttr": "disabled",
  "checkRolesGroup": "disabled",
  "debug": "disabled",
  "idleTimeout": 3600,
  "ignoreAuthInfoUnavail": "no",
  "ignoreUnknownUser": "disabled",
  "port": 389,
  "scope": "sub",
  "searchBaseDn": "dc=testdc,dc=test,dc=com",
  "searchTimeout": 30,
  "servers": [
    "testdc.test.com"
  ],
  "ssl": "disabled",
  "sslCheckPeer": "disabled",
  "version": 3,
  "warnings": "enabled"
}

PATCH:

{   "bindPw":"Ch4ng3!me!" }

RESPONSE:

{
  "kind": "tm:auth:ldap:ldapstate",
  "name": "system-auth",
  "partition": "Common",
  "fullPath": "/Common/system-auth",
  "generation": 726,
  "selfLink": "https://localhost/mgmt/tm/auth/ldap/~Common~system-auth?ver=13.1.1.4",
  "bindDn": "CN=testuser,OU=Role Accounts,OU=Enabled Accounts,DC=testdc,DC=test,DC=com",
  "bindPw": "$M$Zg$zCoW4cnOL/9NHCcIYmuvcQ==", <-- this has changed
  "bindTimeout": 30,
  "checkHostAttr": "disabled",
  "checkRolesGroup": "disabled",
  "debug": "disabled",
  "idleTimeout": 3600,
  "ignoreAuthInfoUnavail": "no",
  "ignoreUnknownUser": "disabled",
  "port": 389,
  "scope": "sub",
  "searchBaseDn": "dc=testdc,dc=test,dc=com",
  "searchTimeout": 30,
  "servers": [
    "testdc.test.com"
  ],
  "ssl": "disabled",
  "sslCheckPeer": "disabled",
  "version": 3,
  "warnings": "enabled"
}

@jbackman It works ok with the JSON post and patch, can you try these in your system and let me know if this updates?

jbackman commented 5 years ago

Patch does NOT seem to work with my system I do see that the bindPW is changing, but the value is being incorrectly set. I am using special characters in my production password

jbackman commented 5 years ago

it looks like there is a bug in the API that doesn't like one of the following characters: !`;@)

jbackman commented 5 years ago

If there are characters that are not permitted - should the ansible module report an error vs trying to submit them?

wojtek0806 commented 5 years ago

no, for 2 reasons:

we do not parse passwords as this is a security risk
f5 is the source of truth for most of configuration validation, in the past we have had some attempts to have Ansible do verification, and where it is feasible we will do so, but we rely on F5 to report errors.

If this is a REST issue please open a case with support as this is not Ansible related since directly calling API is also failing.

F5Networks / f5-ansible