search

ansible / awx-operator

An Ansible AWX operator for Kubernetes built with Operator SDK and Ansible. 🤖
https://www.github.com/ansible/awx
Apache License 2.0
1.26k stars 631 forks source link

LDAP login works only once per user #507

Closed gjsmo closed 3 years ago

gjsmo commented 3 years ago
ISSUE TYPE
SUMMARY

After configuring LDAP, I'm able to login. Attributes and groups seem to sync correctly, After logging out however I can no longer login with that same username. The only error in the awx-task log is awx.api.generics Login failed for user.

ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS

User should be able to login again successfully.

ACTUAL RESULTS

User can only login once.

ADDITIONAL INFORMATION

Redacted config as follows:

LDAP Server URI
ldap://ldap-server.example.com/
LDAP Bind DN
uid=svc_awx,cn=sysaccounts,cn=etc,dc=example,dc=com
LDAP Bind Password
Encrypted
LDAP User DN Template
uid=%(user)s,cn=users,cn=accounts,dc=example,dc=com
LDAP Group Type
GroupOfNamesType
LDAP Require Group
cn=awx-users,cn=groups,cn=accounts,dc=example,dc=com
LDAP Deny Group
Not configured
LDAP Start TLS
On

LDAP User Search
[
  "cn=users,cn=accounts,dc=example,dc=com",
  "SCOPE_SUBTREE",
  "(uid=%(user)s)"
]

LDAP Group Search
[
  "cn=groups,cn=accounts,dc=example,dc=com",
  "SCOPE_SUBTREE",
  "(objectClass=nestedGroup)"
]

LDAP User Attribute Map
{
  "first_name": "givenName",
  "last_name": "sn",
  "email": "mail"
}

LDAP User Flags By Group
{
  "is_superuser": [
    "cn=awx-admins,cn=groups,cn=accounts,dc=example,dc=com"
  ]
}

Deleting the LDAP user using the admin account seems to allow logging in again.

AWX-OPERATOR LOGS
jorgeyanesdiez commented 3 years ago

I am having the same issue. Furthermore, LDAP users no longer have the "LDAP" label as in previous versions. image

On a sidenote: If I change the password for the "admin" user, it is reset every time I restart minikube. The issues are probably related.

felipe4334 commented 3 years ago

Same issue here, I have awx-operator 0.13.0 here. I tried creating an awx instance from scratch without restoring from any backups and still the same issue. I have another cluster running AWX 19.2.2 and this issue does not appear there. This issue only appears with new users though, users already configured for LDAP will keep working. image The same user that cant be found on AD when adding it and relogging in is the same user that works when LDAP is already configured.

mhahl commented 3 years ago

Just confirming I can replicate this issue on the following:

ENVIRONMENT

lo78cn commented 3 years ago

I face the same issue.

there is one required user attribute value missing in the API output (results in missing ldap label in the GUI)

should be something like:

also missing, but less critical for ldap to work

I was able to fix it, by directly setting ldap_dn in the database table main_profile (dirty hack).

minikube kubectl -- exec -ti awx-postgres-0 -- psql -U awx
update main_profile set ldap_dn = 'cn=username,ou=users,dc=internal,dc=org,dc=net' where id = (select id from auth_user where username = 'username');
kurokobo commented 3 years ago

This seems to be an issue on the AWX side; ansible/awx#10883

tchellomello commented 3 years ago

@kurokobo should be fixed by ansible/awx#10965

kurokobo commented 3 years ago

@tchellomello Thanks for the quick fix! I look forward to the release of the new version with the fixes included :rocket:

josue-soares commented 8 months ago

script example for adjust

root@awxansible:~# cat ajusta-usuarios.sh

!/bin/bash

tower-cli user list --all-pages | egrep -v '(==|admin|username)' | awk -F ' ' '{print$2}' > /tmp/usuarios.txt

for U in $(cat /tmp/usuarios.txt); do echo "ajustando o usuario $U" DN=ldapsearch -o ldif-wrap=no -w xxxxxx -H ldap://ldapxxxxxx -b 'ou=xx,dc=xxx,dc=xxx' -D uid=xxx,ou=xxx,dc=xxx,dc=zzz "(uid=$U)" dn | egrep ^dn | awk -F ' ' '{print $2}' kubectl exec awx-postgres-13-0 -- psql -U awx -d awx -c \ "update main_profile set ldap_dn = '$DN' \ where id = (select id from auth_user where username = '$U');" done