Open siju-vasudevan opened 3 years ago
chrismeyersfsu
commented
3 years ago @siju-vasudevan could you test if quoting the value below results in it working?
value: 'LDAPSearch("DC=win,DC=xyz,DC=abc,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)")'Otherwise, LDAP can be configured via the AWX API/UI post deploy.
hungtran84
commented
3 years ago @siju-vasudevan could you test if quoting the value below results in it working?
value: 'LDAPSearch("DC=win,DC=xyz,DC=abc,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)")'Otherwise, LDAP can be configured via the AWX API/UI post deploy.
@chrismeyersfsu I tried it and experienced the same issue. Anyway, LDAP should be bootstrapped with awx cluster to make it declarative way (similar to the deprecated awx helm). Using api post deploy is imperative and not visible as code.
siju-vasudevan
commented
3 years ago Sure. Will do a testing and will let you know the status.
siju-vasudevan
commented
3 years ago Configured like below. But in AWX-Web container could see the below mentioned logs. value: 'LDAPSearch("DC=win,DC=xyz,DC=abc,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)")'
File "/usr/lib64/python3.8/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "
siju-vasudevan
commented
3 years ago So adding additional quotes won't help.
siju-vasudevan
commented
3 years ago This issue can be fixed by adding one line into the config.yaml.j2 file. Kindly find the pull request below. https://github.com/ansible/awx-operator/pull/536
hungtran84
commented
3 years ago @siju-vasudevan could you share your full LDAP configuration via extra setting? Cannot set Group Type to ActiveDirectory as well
siju-vasudevan
commented
3 years ago extra_settings:
damoxc
commented
3 years ago @siju-vasudevan @hungtran84 It's possible to add it in with things as they are now, but it is very much a bodge.
You can abuse extra_settings by adding the import as a setting key with a trailing # to ensure that the added = doesn't cause any problems:
extra_settings:
- setting: 'from ldap import SCOPE_SUBTREE #'
value: ''
- setting: 'from django_auth_ldap.config import LDAPSearch #'
value: ''@damoxc thank for the trick.
Another issue that i face to is AUTH_LDAP_BIND_PASSWORD that I cannot pass to extra_settings as plaintext. Is it possible to pass it from the existing k8s secret?
ISSUE TYPE
SUMMARY
LDAP authentication getting failed when configured via extra settings option.
ENVIRONMENT
STEPS TO REPRODUCE
AWX LDAP Configuration Issue: Trying to configure ldap setting via extra setting option.
Error: awx-instance-001-web log 2021-09-06 12:33:07,766 WARNING [cf97745d167c40189a8e3dad4fe30312] awx.conf.registry Unable to retrieve default value for setting "AUTH_LDAP_GROUP_SEARCH". Traceback (most recent call last): File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/conf/registry.py", line 153, in get_setting_field field_instance.default = original_field_instance.to_representation(self.settings._awx_conf_settings._get_default(setting)) File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/sso/fields.py", line 348, in to_representation self.fail('type_error', input_type=type(value)) File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/rest_framework/fields.py", line 641, in fail raise ValidationError(message_string, code=key) rest_framework.exceptions.ValidationError: [ErrorDetail(string="Expected an instance of LDAPSearch but got <class 'list'> instead.", code='type_error')] 2021-09-06 12:33:07,771 WARNING [cf97745d167c40189a8e3dad4fe30312] awx.conf.registry Unable to retrieve default value for setting "AUTH_LDAP_USER_SEARCH". Traceback (most recent call last): File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/conf/registry.py", line 153, in get_setting_field field_instance.default = original_field_instance.to_representation(self.settings._awx_conf_settings._get_default(setting)) File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/sso/fields.py", line 384, in to_representation self.fail('type_error', input_type=type(value)) File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/rest_framework/fields.py", line 641, in fail raise ValidationError(message_string, code=key) rest_framework.exceptions.ValidationError: [ErrorDetail(string="Expected an instance of LDAPSearch or LDAPSearchUnion but got <class 'list'> instead.", code='type_error')] 2021-09-06 12:33:07,780 ERROR [cf97745d167c40189a8e3dad4fe30312] awx.sso.backends Encountered an error authenticating to LDAP Traceback (most recent call last): File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/sso/backends.py", line 118, in authenticate raise ImproperlyConfigured("{} must be an {} instance.".format(settingname, type)) django.core.exceptions.ImproperlyConfigured: GROUP_SEARCH must be an LDAPSearch instance.
If we configure the AUTH_LDAP_USER_SEARCH and AUTH_LDAP_GROUP_SEARCH settings as below then we will get a different errors.
Error: awx-instance-001-web log NameError: name 'LDAPSearch' is not defined 2021-09-06 11:18:26,222 INFO exited: wsbroadcast (exit status 1; not expected) 2021-09-06 11:18:26,222 INFO exited: wsbroadcast (exit status 1; not expected) Traceback (most recent call last): File "/var/lib/awx/venv/awx/bin/daphne", line 8, in
sys.exit(CommandLineInterface.entrypoint())
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/daphne/cli.py", line 191, in entrypoint
cls().run(sys.argv[1:])
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/daphne/cli.py", line 252, in run
application = import_by_path(args.application)
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/daphne/utils.py", line 12, in import_by_path
target = importlib.import_module(module_path)
File "/usr/lib64/python3.8/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1014, in _gcd_import
File "", line 991, in _find_and_load
File "", line 975, in _find_and_load_unlocked
File "", line 671, in _load_unlocked
File "", line 783, in exec_module
File "", line 219, in _call_with_frames_removed
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/asgi.py", line 12, in
prepare_env() # NOQA
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/init.py", line 103, in prepare_env
if not settings.DEBUG: # pragma: no cover
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/django/conf/init.py", line 79, in getattr
self._setup(name)
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/django/conf/init.py", line 66, in _setup
self._wrapped = Settings(settings_module)
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/django/conf/init.py", line 157, in init
mod = importlib.import_module(self.SETTINGS_MODULE)
File "/usr/lib64/python3.8/importlib/init.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1014, in _gcd_import
File "", line 991, in _find_and_load
File "", line 975, in _find_and_load_unlocked
File "", line 671, in _load_unlocked
File "", line 783, in exec_module
File "", line 219, in _call_with_frames_removed
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/awx/settings/production.py", line 62, in
include(settings_file, optional(settings_files), scope=locals())
File "/var/lib/awx/venv/awx/lib64/python3.8/site-packages/split_settings/tools.py", line 107, in include
exec(compiled_code, scope) # noqa: S102, WPS421
File "/etc/tower/settings.py", line 82, in
AUTH_LDAP_USER_SEARCH = LDAPSearch("DC=win,DC=xyz,DC=abc,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)")
NameError: name 'LDAPSearch' is not defined
EXPECTED RESULTS
Authenticate user with LDAP configuration
ACTUAL RESULTS
Giving Error and Authentication is getting failed
ADDITIONAL INFORMATION
Looks like from django_auth_ldap.config import LDAPSearch is missing in the /etc/tower/seetings.py https://github.com/ansible/awx-operator/blob/devel/roles/installer/templates/config.yaml.j2#L19
AWX-OPERATOR LOGS