LDAP Settings not working

[techBeck03]

Please confirm the following

• [X] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
• [X] I am NOT reporting a (potential) security vulnerability. (These should be emailed to security@ansible.com instead.)

Bug Summary

I cannot get LDAP authentication to work despite my settings working on previous AWX versions.

AWX version

22.3.0

Select the relevant components

• [X] UI
• [ ] UI (tech preview)
• [X] API
• [ ] Docs
• [ ] Collection
• [ ] CLI
• [ ] Other

Installation method

kubernetes

Modifications

no

Ansible version

No response

Operating system

Ubuntu 22

Web browser

Chrome

Steps to reproduce

LDAP Settings

LDAP Group Type: ActiveDirectoryGroupType

LDAP Bind DN and Password are set

LDAP Require Group:

CN=WWDC AWX Admins,CN=Users,DC=auslab,DC=cisco,DC=com

LDAP User Search:

[
  "CN=Users,DC=auslab,DC=cisco,DC=com",
  "SCOPE_SUBTREE",
  "(sAMAccountName=%(user)s)"
]

LDAP Group Search:

[
  "cn=Users,dc=auslab,dc=cisco,dc=com",
  "SCOPE_SUBTREE",
  "(objectClass=group)"
]

LDAP User Attribute Map:

{
  "first_name": "givenName",
  "last_name": "sn",
  "email": "mail"
}

LDAP Group Type Parameters:

{
  "name_attr": "cn"
}

LDAP User Flags By Group:

{
  "is_superuser": [
    "CN=WWDC AWX Admins,CN=Users,DC=auslab,DC=cisco,DC=com"
  ]
}

LDAP Organization Map:

{
  "WWDC": {
    "remove_users": false,
    "admins": "CN=WWDC AWX Admins,CN=Users,DC=auslab,DC=cisco,DC=com",
    "remove_admins": false
  }
}

Expected results

Users in the WWDC AWX Admins AD group should be able to login with their samAccountName and password successfully.

Actual results

Login attempt fails and i see this in the web container logs:

[pid: 154|app: 0|req: 838/2994] 10.42.12.196 () {74 vars in 5272 bytes} [Mon Jun 12 12:47:03 2023] GET /api/login/ => generated 5710 bytes in 49 msecs (HTTP/1.1 200) 10 headers in 460 bytes (1 switches on core 0)
2023-06-12 12:47:04,575 WARNING  [836330e1456645db903757d3560fb211] awx.api.generics Login failed for user robbeck from 10.42.12.196
2023-06-12 12:47:04,584 WARNING  [836330e1456645db903757d3560fb211] django.request Unauthorized: /api/login/
2023-06-12 12:47:04,584 WARNING  [836330e1456645db903757d3560fb211] django.request Unauthorized: /api/login/
10.42.12.196 - - [12/Jun/2023:12:47:04 +0000] "POST /api/login/ HTTP/1.1" 401 5918 "https://wwdc-awx.auslab.cisco.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" "172.16.91.17"

Additional information

No response

[john-westcott-iv]

Have you tried turning on LDAP debugging to see what, if any, messages you get in the logs on login? https://docs.ansible.com/automation-controller/latest/html/administration/ldap_auth.html#enabling-logging-for-ldap

[techBeck03]

@john-westcott-iv I set the logging level to DEBUG however i still don't see anything LDAP related in the logs when i attempt to login.

[cilq]

Maybe this has to do with not mapping the member attribute of LDAP groups and so all your groups appear empty to Django? You could try this for LDAP Group Type Parameters:

{
  "name_attr": "cn",
  "member_attr": "member"
}

[pisaniej]

@john-westcott-iv I set the logging level to DEBUG however i still don't see anything LDAP related in the logs when i attempt to login.

same here, any luck getting this to work?

[techBeck03]

@cilq , I believe that's only needed if the LDAP Group Type is MemberDNGroupType. I have tried MemberDNGroupType as well with "member_attr": "member" but have the same non-working result. For the notes on this issue i specified the LDAP Group Type as ActiveDirectoryGroupType so the member_attr is not needed (I don't even think it's allowed). Thanks