rooso
commented
2 years ago Got same error, AWX Version 21.1.0 is running on vSphere Tanzu
Open djohnson1865 opened 2 years ago
rooso
commented
2 years ago Got same error, AWX Version 21.1.0 is running on vSphere Tanzu
shanemcd
commented
2 years ago Does it work if you remove the quotes from the values for AUTH_LDAP_USER_SEARCH and AUTH_LDAP_GROUP_SEARCH?
r0b1ndot
commented
2 years ago Got same error both tried variants did not work.
var1:
- setting: AUTH_LDAP_GROUP_TYPE
value: >-
'"ActiveDirectoryGroupType"'var2:
- setting: AUTH_LDAP_GROUP_TYPE
value: >-
"ActiveDirectoryGroupType"From reading the docs, what about:
- setting: AUTH_LDAP_GROUP_TYPE
value: ActiveDirectoryGroupType()@shanemcd also your proposed setting results in:
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
NameError: name 'ActiveDirectoryGroupType' is not defined
furynick
commented
2 years ago I'm encountering the same type of problem with AWX 21.5.0 on kubeadm k8s cluster. Tried several syntax without success.
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awxrct
namespace: awx
spec:
extra_settings:
- setting: AUTH_LDAP_SERVER_URI
value: >-
"ldaps://ldap2:636 ldaps://ldap1:636"
- setting: AUTH_LDAP_USER_SEARCH
value: "LDAPSearch('OU=People,DC=ldap,DC=company,DC=com',ldap.SCOPE_SUBTREE,'(&(uid=%(user)s)(|(accessentrylevel=grp_dev)(accessentrylevel=grp_xprt)))',)"
- setting: AUTH_LDAP_GROUP_SEARCH
value: "LDAPSearch('OU=Groups,DC=ldap,DC=company,DC=com',ldap.SCOPE_SUBTREE,'(objectClass=posixgroup)',)"
- setting: AUTH_LDAP_GROUP_TYPE
value: >-
GroupOfNamesType
- setting: AUTH_LDAP_GROUP_TYPE_PARAMS
value: >-
"{}"
- setting: AUTH_LDAP_USER_ATTR_MAP
value: "{'first_name': 'gecos','last_name': 'sn','email': 'mail'}"
- setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
value: "{
'is_superuser': [
'CN=grp_Admin,OU=Group,DC=ldap,DC=company,DC=com'
]
}"
- setting: AUTH_LDAP_ORGANIZATION_MAP
value: "{
'OBS': {
'admins': 'CN=grp_Admin,OU=Group,DC=ldap,DC=company,DC=com',
'remove_admins': 'true',
'users': 'true',
'remove_users': 'true'
}
}"
- setting: AUTH_LDAP_TEAM_MAP
value: "{
'PF3WI': {
'organization': 'OBS',
'users': 'CN=grp_Admin,OU=Group,DC=ldap,DC=company,DC=com',
'remove': 'true'
}
}"I get hundreds of messages of type
2022-09-02 11:25:01,351 WARNING [e40a708f291b489d8e05d34c1aeb78a7] awx.conf.registry Unable to retrieve default value for setting "AUTH_LDAP_GROUP_TYPE".
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/conf/registry.py", line 153, in get_setting_field
field_instance.default = original_field_instance.to_representation(self.settings._awx_conf_settings._get_default(setting))
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/fields.py", line 441, in to_representation
self.fail('type_error', input_type=type(value))
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/rest_framework/fields.py", line 641, in fail
raise ValidationError(message_string, code=key)
rest_framework.exceptions.ValidationError: [ErrorDetail(string="Une instance de LDAPGroupType était attendue, mais <class 'type'> a été obtenu à la place.", code='type_error')]
.
.
.
.
2022-09-02 11:25:01,500 WARNING [e40a708f291b489d8e05d34c1aeb78a7] awx.conf.settings The current value "OrderedDict([('member_attr', 'member'), ('name_attr', 'cn')])" for setting "AUTH_LDAP_GROUP_TYPE_PARAMS" is invalid.
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/conf/registry.py", line 153, in get_setting_field
field_instance.default = original_field_instance.to_representation(self.settings._awx_conf_settings._get_default(setting))
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/fields.py", line 441, in to_representation
self.fail('type_error', input_type=type(value))
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/rest_framework/fields.py", line 641, in fail
raise ValidationError(message_string, code=key)
rest_framework.exceptions.ValidationError: <unprintable ValidationError object>
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/conf/settings.py", line 381, in _get_local
internal_value = field.to_internal_value(value)
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/fields.py", line 484, in to_internal_value
group_type_str = self.get_depends_on()
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/fields.py", line 73, in get_depends_on
res = settings._get_local(dependent_key, validate=False)
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/conf/settings.py", line 343, in _get_local
field = self.registry.get_setting_field(name)
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/conf/registry.py", line 157, in get_setting_field
logger.warning('Unable to retrieve default value for setting "%s".', setting, exc_info=True)
File "/usr/lib64/python3.9/logging/__init__.py", line 1458, in warning
self._log(WARNING, msg, args, **kwargs)
File "/usr/lib64/python3.9/logging/__init__.py", line 1589, in _log
self.handle(record)
File "/usr/lib64/python3.9/logging/__init__.py", line 1599, in handle
self.callHandlers(record)
File "/usr/lib64/python3.9/logging/__init__.py", line 1661, in callHandlers
hdlr.handle(record)
File "/usr/lib64/python3.9/logging/__init__.py", line 952, in handle
self.emit(record)
File "/usr/lib64/python3.9/logging/__init__.py", line 1083, in emit
msg = self.format(record)
File "/usr/lib64/python3.9/logging/__init__.py", line 927, in format
return fmt.format(record)
File "/usr/lib64/python3.9/logging/__init__.py", line 671, in format
record.exc_text = self.formatException(record.exc_info)
File "/usr/lib64/python3.9/logging/__init__.py", line 621, in formatException
traceback.print_exception(ei[0], ei[1], tb, None, sio)
File "/usr/lib64/python3.9/traceback.py", line 103, in print_exception
for line in TracebackException(
File "/usr/lib64/python3.9/traceback.py", line 517, in __init__
self.stack = StackSummary.extract(
File "/usr/lib64/python3.9/traceback.py", line 366, in extract
f.line
File "/usr/lib64/python3.9/traceback.py", line 288, in line
self._line = linecache.getline(self.filename, self.lineno).strip()
File "/usr/lib64/python3.9/linecache.py", line 30, in getline
lines = getlines(filename, module_globals)
RecursionError: maximum recursion depth exceeded
.
.
.With different syntax
...
spec:
extra_settings:
...
- setting: AUTH_LDAP_GROUP_TYPE
value: >-
"GroupOfNamesType"
- setting: AUTH_LDAP_GROUP_TYPE_PARAMS
value: >-
"'{}'"
...I get other errors :
2022-09-02 11:56:50,352 WARNING [5e073a86e70540dea459eb99c48c4ab2] awx.conf.registry Unable to retrieve default value for setting "AUTH_LDAP_GROUP_TYPE".
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/conf/registry.py", line 153, in get_setting_field
field_instance.default = original_field_instance.to_representation(self.settings._awx_conf_settings._get_default(setting))
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/fields.py", line 441, in to_representation
self.fail('type_error', input_type=type(value))
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/rest_framework/fields.py", line 641, in fail
raise ValidationError(message_string, code=key)
rest_framework.exceptions.ValidationError: [ErrorDetail(string="Une instance de LDAPGroupType était attendue, mais <class 'str'> a été obtenu à la place.", code='type_error')]What is the right syntax to use LDAP authentication ? How to enable Debug level ?
Cl0udius
commented
2 years ago Same error here with "ActiveDirectoryGroupType" on AWX 21.3.0.
rooso
commented
2 years ago Hi all, found a workaround in another issues. This will not fix the UI error "Something went wrong..." but at least LDAP authentication is working properly 😃
https://github.com/ansible/awx-operator/issues/642 https://github.com/ansible/awx-operator/pull/961
Fix is merged but into ansible:devel, for now you can use the following configuration for Active Directory:
extra_settings:
- setting: AUTH_LDAP_SERVER_URI
value: '"ldaps://demo.com:636"; from django_auth_ldap.config import NestedActiveDirectoryGroupType'
- setting: AUTH_LDAP_BIND_DN
value: >-
"CN=SA_Ldaps,OU=Service,OU=Users,OU=Special,OU=PROD,DC=demo,DC=com"
- setting: AUTH_LDAP_GROUP_TYPE_PARAMS
value: '{ "name_attr": "cn" }'
- setting: AUTH_LDAP_USER_SEARCH
value: 'LDAPSearch("OU=ADMIN,DC=demo,DC=com",ldap.SCOPE_SUBTREE,"(sAMAccountName=%(user)s)",)'
- setting: AUTH_LDAP_GROUP_SEARCH
value: 'LDAPSearch("OU=Groups,OU=ADMIN,DC=demo,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
- setting: AUTH_LDAP_GROUP_TYPE
value: "NestedActiveDirectoryGroupType(name_attr='cn')"
- setting: AUTH_LDAP_USER_ATTR_MAP
value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
- setting: AUTH_LDAP_REQUIRE_GROUP
value: >-
"CN=awx_admin_group,OU=Permission,OU=Groups,OU=ADMIN,DC=demo,DC=com"
- setting: AUTH_LDAP_USER_FLAGS_BY_GROUP
value: {
"is_superuser": [
"CN=awx_admin_group,OU=Permission,OU=Groups,OU=ADMIN,DC=demo,DC=com"
]
}I'm using NestedActiveDirectoryGroupType as AUTH_LDAP_GROUP_TYPE, if you need to change that lookup the correct value for the import on line 3 and also for AUTH_LDAP_GROUP_TYPE attribute on https://django-auth-ldap.readthedocs.io/en/stable/reference.html#django_auth_ldap.config.NestedMemberDNGroupType
And by the way, you can store the ldap user password in Kubernetes Secret.
Add the following line to extra_settings:
ldap_password_secret: awx-ldap-passwordand create a Secret in Kubernetes with your password:
kubectl create secret generic awx-ldap-password \
--from-literal=ldap-password=YOUR-PASSWORD-HERE -n awxHope this will save someones time ✌️
r0b1ndot
commented
2 years ago @rooso thanks for the hint :) setting the secret works but setting the group type to ActiveDirectoryGroupType which should work according to docs resulted in "MemberDNGroupType"
here are the settings i tried:
extra_settings:
- setting: AUTH_LDAP_SERVER_URI
value: '"ldaps://myawesomeldapserver"; from django_auth_ldap.config import ActiveDirectoryGroupType'
- setting: AUTH_LDAP_BIND_DN
value: >-
"CN=mybinduser,OU=GROUP"
- setting: AUTH_LDAP_GROUP_TYPE_PARAMS
value: '{ "name_attr": "cn" }'
- setting: AUTH_LDAP_USER_SEARCH
value: 'LDAPSearch("OU=USERS,DC=MYDC",ldap.SCOPE_SUBTREE,"(cn=%(user)s)",)'
- setting: AUTH_LDAP_GROUP_SEARCH
value: 'LDAPSearch("OU=GROUPS,DC=MYDC",ldap.SCOPE_SUBTREE,"(objectClass=top)",)'
- setting: AUTH_LDAP_GROUP_TYPE
value: "ActiveDirectoryGroupType"Hi @reyerdam, please take a closer look at my example. In my case I had to set AUTH_LDAP_GROUP_TYPE to the following:
- setting: AUTH_LDAP_GROUP_TYPE
value: "NestedActiveDirectoryGroupType(name_attr='cn')"Hi @rooso , thanks, i tried it also with the following:
- setting: AUTH_LDAP_GROUP_TYPE
value: "ActiveDirectoryGroupType(name_attr='cn')"also following the docs: https://django-auth-ldap.readthedocs.io/en/stable/reference.html#django_auth_ldap.config.ActiveDirectoryGroupType
but also that did not work as wished ;(
r0b1ndot
commented
1 year ago Hi, is there any update what alternatives are also there?
JeanMichelDaivope
commented
1 year ago Hello, strange issue. For us it's working fine with the following statement :
- setting: AUTH_LDAP_GROUP_TYPE
value: 'MyCustomGroupType()'
m4rc3l-h3
commented
1 year ago Hello everyone,
I struggled with that issue as well using the PosixGroupType. I got it finally working with the settings below. For my setup it only worked if I set both, the parameter in the __init and overwriting the AUTH_LDAP_GROUP_TYPE_PARAMS , to get around the error message.
Hope it helps.
- setting: AUTH_LDAP_GROUP_TYPE
value: "PosixGroupType(name_attr='cn')"
- setting: AUTH_LDAP_GROUP_TYPE_PARAMS
value: {}
omicronn88
commented
1 year ago Hi @m4rc3l-h3, thanks for sharing. Overwriting the AUTH_LDAP_GROUP_TYPE_PARAMS indeed helps. Also works with NestedActiveDirectoryGroupType(name_attr='cn').
- setting: AUTH_LDAP_GROUP_TYPE
value: "NestedActiveDirectoryGroupType(name_attr='cn'))"
- setting: AUTH_LDAP_GROUP_TYPE_PARAMS
value: {}
chey
commented
7 months ago I'm able to get some of the examples people are posting to work but still having trouble getting a working combination of AUTH_LDAP_USER_ATTR_MAP and AUTH_LDAP_GROUP_TYPE when using MemberDNGroupType.
Please confirm the following
Summary
Attempting to update LDAPGroupType via API (UI) fails.
AWX is installed via the Operator install using Minikube. Upon installation all settings are correct in the UI when logged in via admin except the AUTH_LDAP_GROUP_TYPE is always set to 'MemberDNGroupType'. Upon trying to modify it in the UI, a number of errors are thrown in the awx-web container.
AWX version
21.0.0
Select the relevant components
Installation method
minikube
Modifications
no
Ansible version
No response
Operating system
No response
Web browser
No response
Steps to reproduce
/api/v2/settings/ldap/and attempt to use a PATCH request to update "AUTH_LDAP_GROUP_TYPE" to "ActiveDirectoryGroupType"Expected results
Setting changes, no errors in log output.
Actual results
Setting doesn't change. Get following errors in log output. Should see errors in the logs similar to these:
Additional information
Box in question is running CentOS 8 Stream. All installations are according to the awx-operator documentation.
I am assuming that the issue is an awx issue, and not part of the operator process. But I could be wrong in my assumption. Seems like the error in the API is the same thing causing the setting not to be set properly during the install process. But that's just a hunch. Couldn't find any errors in the install process, but this threw some that seemed to bare some fruit.