search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
14.06k stars 3.42k forks source link

Expand the "LDAP Require Group field" under Settings/Authentication/LDAP to allow for a list of LDAP groups #7917

Open jpell958 opened 4 years ago

jpell958 commented 4 years ago
ISSUE TYPE
SUMMARY

Under the Settings page for Authentication/LDAP it appears that the LDAP Require Group field is limited to a single group. We would like to see this function expanded to a list of groups.

We would like to list multiple LDAP groups, which we already have in place today, instead of creating and having to populate a new LDAP group specifically for AWX authorized users.

Our POC implementation has proved out this is technically possible by modifying the setting.py file found in /etc/tower/

from django_auth_ldap.config import LDAPGroupQuery AUTH_LDAP_REQUIRE_GROUP = ( LDAPGroupQuery("cn=awx_admin, ou=UXgroups, ou=Groups, ou=Entsys,dc=company.com") | LDAPGroupQuery("cn=awx_user, ou=UXgroups, ou=Groups, ou=Entsys,dc=company.com") )

https://django-auth-ldap.readthedocs.io/en/latest/groups.html#limiting-access

Our use case is that we would use multiple groups to establish authorization level into the system (i.e; Admin, Users, System Auditors,...) instead of adding a group of all users to AWX a granting individual access roles.

hiero-nymus commented 3 years ago

Hi Team, I have the same situation. Can anyone solve this problem in the meantime? Is there a project currently underway? Best regards, H

eselvam commented 2 years ago

we have the same req, shall we add this capability please.

DaVince commented 2 years ago

Our organization consists of a lot of different teams who need to be assigned to their respective Organization, but only if they actually are a member of one of our four dedicated Ansible-related LDAP groups that determine access rights (read only/developer/team manager/sysadmin). The alternative for us is to add three of those groups for each of the teams, which is infeasible and clutters up the LDAP space. Unfortunately a different team is in charge of LDAP administration and I'm quite certain they will not agree to this.

We're going for a different solution now (writing a playbook to assign members to organizations) but it is also highly desired for us to be able to filter multiple groups so we can match the platform's access rights + which team they belong to.

Doing some research, I know that the underlying library already supports this.