search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.96k stars 3.41k forks source link

LDAP auth fails #5324

Closed AdrianDutu closed 4 years ago

AdrianDutu commented 4 years ago
ISSUE TYPE
SUMMARY

After upgrading from 6.1.0 to 9.0.1 the LDAP auth fails with the following error:

10.244.0.0 - - [14/Nov/2019:14:01:39 +0000] "GET /" 400 3887 "-" "-" "-" 2019-11-14 14:01:39,835 WARNING django_auth_ldap Caught LDAPError while authenticating a.addu01: SERVER_DOWN({'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},) 2019-11-14 14:01:39,843 WARNING awx.api.generics Login failed for user a.addu01 from 10.244.2.1 2019-11-14 14:01:39,853 WARNING django.request Unauthorized: /api/login/ 2019-11-14 14:01:39,853 WARNING django.request Unauthorized: /api/login/

The same certificates I was using before are installed in /etc/pki/ca-trust/source/anchors. I am using the same LDAP config as before:

server uri: ldaps://xxxxxx.com:636 ldap bind dn: CN=s.a.xxx,OU=users,DC=bwin,DC=adam ldap bind password: ***** ldap group type: MemberDNGroupType ldap require group: CN=prod.awx.access,OU=groups,DC=bwin,DC=adam ldap user search: [ "DC=bwin,DC=adam", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)" ] ldap group search: [ "DC=bwin,DC=adam", "SCOPE_SUBTREE", "(objectClass=group)" ]

ENVIRONMENT
STEPS TO REPRODUCE
  1. Configure LDAP auth with the settings above
  2. Install certs on the awx server
  3. Try to login with and LDAP user
EXPECTED RESULTS

Login successful.

ACTUAL RESULTS

Certificate validation fails.

ADDITIONAL INFORMATION
AdrianDutu commented 4 years ago

Did anything change regarding the way authentication works? As mentioned a previous version works and also if I run ldapsearch on the host machine I get back results:

ldapsearch -b "dc=bwin,dc=adam" -D "CN=s.a.awx,OU=users,DC=bwin,DC=adam" -H ldaps://xxx.xxx.com -W '(memberOf=CN=awx.access,OU=groups,DC=bwin,DC=adam)'

If I run the same command in the awx_web container, with debug on, I get:

attempting to connect: connect success TLS trace: SSL_connect:before SSL initialization TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS write client hello TLS trace: SSL_connect:SSLv3/TLS read server hello TLS certificate verification: depth: 2, err: 19, subject: /CN=ATVA0WIPKI001-Root, issuer: /CN=ATVA0WIPKI001-Root TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in error TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

AdrianDutu commented 4 years ago

I found the issue. The CentOS version changed from 7 to 8. Running update-ca-trust fixed the issue. @ryanpetrello maybe you can do something to run this in the installer playbook as cert auth will not work by default in awx.