search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.91k stars 3.4k forks source link

Not able to integrate containerized awx ansible tower with LDAP #1900

Closed rehanch178 closed 5 years ago

rehanch178 commented 6 years ago

Hi Team,

I am running Ansible tower docker version.

I configured LDAP authentication in the UI setting section of LDAP, but it is not working.

Wanted to know , does docker version of ansible tower support AD integration.

If yes, I am not sure, if I am making any mistake while configuring LDAP.

joshuacherry commented 6 years ago

It's working for me, the only issue I've run into was TLS. I had to set the server uri to ldap://fqdn:389 and disable Start TLS.

tumbl3w33d commented 6 years ago

For the original question - yeah it works, at least with OpenLDAP so I would imagine AD should work as well. I've done that a while ago but as far as I remember, I followed the tower doc and it worked.

After the installation, when the containers are already running, I executed some commands using docker exec to curl/wget my CA from a webserver and update-ca-trust to get it active so STARTTLS would work with my self-signed cert as well.

  - name: trust CA in awx containers
    shell: docker exec -i {{ item }} bash -c 'curl http://someintranethttpd/static/myintranetca.crt > /etc/pki/ca-trust/source/anchors/myintranetca.crt && update-ca-trust extract'
    with_items:
      - awx_web
      - awx_task

and I think you need to restart the containers afterwards. Instead of downloading the CA you could also use docker cp to get it in, of course.

hnagireddygari commented 6 years ago

Hi Guys,

I am struggling for the solution from last 3 days. Please give me the steps how to follow and integrate LDAP with Ansible AWX. I am using containerized awx ansible tower with LDAP. Please help me to get resolve this. and one more, when i tried to change configuration and save. the changes are not reflecting once i logout and login.

and once exact configuration is done, how to test whether the LDAP server is synced with my AWX or not?

Below are the credentials(modified due to compliance) i'm using. Please correct me if i'm wrong. Please help me on this.

LDAP in AWX.

LDAP Server URI: ldap://promo.micro.com:389

LDAP Bind DN: CN=admin.gen,OU=General,OU=Micro Users,DC=promo,DC=micro,DC=com

password: Admin123

LDAP User DN Template: blank

LDAP Group Type: MemberDNGroupType

LDAP Require Group: (here i am giving the same LDAP Bind DN) - Please correct me here... what is the CN? i need to provide here. CN=admin.gen,OU=General,OU=Micro Users,DC=promo,DC=micro,DC=com

LDAP Deny Group: blank

LDAP User Search [ "OU=General,OU=Micro Users,DC=promo,DC=micro,DC=com", "SCOPE_SUBTREE", "(cn=%(user)s)" ]

LDAP Group Search [ "dc=promo,dc=micro,dc=com", "SCOPE_SUBTREE", "(objectClass=group)" ]

LDAP User Attribute Map { "first_name": "givenName", "last_name": "sn", "email": "mail" }

LDAP User Flags by Group { "is_superuser": "CN=admin.gen,OU=General,OU=Micro Users,DC=promo,DC=Micro,DC=com" }

chrismeyersfsu commented 6 years ago

@hnagireddygari There is a public ldap server that I use for testing. Visit the tower browsable api via https://your_tower_server/api/v2/settings/ldap/ and patch the following payload. You can then login to tower using riemann / password. There are other test users associated with this LDAP server also https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/ Once you have this working, use it as a guide for your own LDAP server.

{
    "AUTH_LDAP_GROUP_TYPE": "GroupOfUniqueNamesType",
    "AUTH_LDAP_USER_DN_TEMPLATE": "uid=%(user)s,dc=example,dc=com",
    "AUTH_LDAP_ORGANIZATION_MAP": {
        "Mathematicians": {
            "users": [],
            "admins": "ou=mathematicians,dc=example,dc=com",
            "remove_admins": false,
            "remove_users": false
        },
        "Scientists": {
            "users": [],
            "admins": "ou=scientists,dc=example,dc=com",
            "remove_admins": false,
            "remove_users": false
        }
    },
    "AUTH_LDAP_BIND_DN": "cn=read-only-admin,dc=example,dc=com",
    "AUTH_LDAP_USER_ATTR_MAP": {
        "first_name": "uid",
        "last_name": "sn",
        "email": "mail"
    },
    "AUTH_LDAP_USER_SEARCH": [],
    "AUTH_LDAP_SERVER_URI": "ldap://ldap.forumsys.com",
    "AUTH_LDAP_GROUP_TYPE_PARAMS": {},
    "AUTH_LDAP_DENY_GROUP": null,
    "AUTH_LDAP_USER_FLAGS_BY_GROUP": {},
    "AUTH_LDAP_TEAM_MAP": {},
    "AUTH_LDAP_REQUIRE_GROUP": null,
    "AUTH_LDAP_GROUP_SEARCH": ["dc=example,dc=com", "SCOPE_SUBTREE", "(objectClass=groupOfUniqueNames)"],
    "AUTH_LDAP_BIND_PASSWORD": "password"
}
matburt commented 5 years ago

No follow up in several months

ctmitche777 commented 5 years ago

I am having the same issue. I've replicated the LDAP configuration between AWX(container)-AWX(non-container)->AnsibleTower. It works in both AWX(non-continer) and Ansible Tower, but not the dockerized version of AWX. Is there something you need to do to get LDAP authentication working in containerized AWX?

AWX 6.0.0.0 Ansible 2.8.1