failled authentification ldaps awx

[xavierfleury]

Environment

k3s version v1.28.6+k3s2 (c9f49a3b) go version go1.20.13

• OS: Red Hat Enterprise Linux 8.9 (Ootpa)
• AWX Operator: 2.11.0

Description

Unable to connect via LDAPS to K3S/AWX environment, With LDAP this is no problem. Thanks to you for a direction, because I'm really stuck, on the interface, thanks again

Step to Reproduce

1. I followed the whole AWX Operator installation part, and deploy AWX
2. I retrieved the certificate from my root company, which I copied to the base directory
3. I followed the Doc Trust Custom Certificate Authority

Logs

2024-02-13 07:56:55,072 DEBUG    [1cf76227093c42969eff60c4342810a0] django_auth_ldap Binding as CN=xxx.x.xxxxxx.xxx-xx,OU=xxxxx,OU=xxxxxx,DC=xxxxxxx,DC=xxxxxxx,DC=xx
2024-02-13 07:57:25,195 WARNING  [1cf76227093c42969eff60c4342810a0] django_auth_ldap Caught LDAPError while authenticating dii.xavier.fleury: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'errno': 110, 'ctrls': [], 'info': 'Connection timed out'})
2024-02-13 07:57:25,844 WARNING  [1cf76227093c42969eff60c4342810a0] awx.api.generics Login failed for user xxx.xxxxx.xxxxx from 10.42.0.5
2024-02-13 07:57:25,851 DEBUG    [1cf76227093c42969eff60c4342810a0] awx.analytics.performance request: <WSGIRequest: POST '/api/login/'>, response_time: 30.838s
2024-02-13 07:57:25,851 WARNING  [1cf76227093c42969eff60c4342810a0] django.request Unauthorized: /api/login/
2024-02-13 07:57:25,851 WARNING  [1cf76227093c42969eff60c4342810a0] django.request Unauthorized: /api/login/

Files

kustomization.yaml

---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: awx

generatorOptions:
  disableNameSuffixHash: true

secretGenerator:
  - name: awx-secret-tls
    type: kubernetes.io/tls
    files:
      - tls.crt
      - tls.key

  - name: awx-postgres-configuration
    type: Opaque
    literals:
      - host=awx-postgres-13
      - port=5432
      - database=awx
      - username=awx
      - password=Azerty1234$$
      - type=managed

  - name: awx-admin-password
    type: Opaque
    literals:
      - password=Azerty1234$$

  - name: awx-custom-certs
    type: Opaque
    files:
      - ldap-ca.crt=acr.cer
      - bundle-ca.crt=acr.cer

 resources:
  - pv.yaml
  - pvc.yaml
  - awx.yaml

awx.yml

---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
  name: awx
spec:
  admin_user: admin
  admin_password_secret: awx-admin-password

  ldap_cacert_secret: awx-custom-certs
  bundle_cacert_secret: awx-custom-certs

  ingress_type: ingress
  ingress_hosts:
    - hostname: awx1-dit-renn.dom-grand-ouest.justice.fr
      tls_secret: awx-secret-tls

  postgres_configuration_secret: awx-postgres-configuration

  postgres_storage_class: awx-postgres-volume
  postgres_storage_requirements:
    requests:
      storage: 8Gi

  projects_persistence: true
  projects_existing_claim: awx-projects-claim

  web_replicas: 1
  task_replicas: 1

  web_resource_requirements: {}
  task_resource_requirements: {}
  ee_resource_requirements: {}
  init_container_resource_requirements: {}
  postgres_init_container_resource_requirements: {}
  postgres_resource_requirements: {}
  redis_resource_requirements: {}
  rsyslog_resource_requirements: {}

[kurokobo]

Edited to markup code blocks

[kurokobo]

@xavierfleury Hi, thanks for using my guide.

Could you provide how you've configured LDAP configuration on AWX? Also have you confirmed that your acr.cer is in PEM format, and LDAP over SSL works from other clients instead of AWX?

I mean, we should to know which is causing this issue, AWX side or LDAP side.

[xavierfleury]

hi, Thanks for the reply, Here is my conf in AWX: LDAP server uri : ldaps://xxxx.xx.xxx.xx:686 ldap group type : MemberDNGroupType TLS disabled ldap bind dn et ldap bind password configured ldap user search: "OU=XXX,OU=XXX-XXXX,OU=XX,OU=XXXXXXX,OU=XXXXXXXXXXX,DC=XXXXXXXXX,DC=XXXXXX,DC=XX", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)"

et ldap group search [ "OU=XXX,OU=XXX-XXXX,OU=XX,OU=XXXXXXX,OU=XXXXXXXXXXX,DC=XXXXXXXXX,DC=XXXXXX,DC=XX", "SCOPE_SUBTREE", "(objectClass=group)" ]

LDAP USER FLAGS BY GROUP

{ "is_superuser": [ "CN=XXXXXX,OU=XX,OU=XXXXXX,OU=XXXXXX,OU=X,OU=XXXXXX,DC=XXXXXXX,DC=XXXX,DC=XX" ], "is_system_auditor": [ "CN=XXXXXX,OU=XX,OU=XXXXXX,OU=XXXXXX,OU=X,OU=XXXXXX,DC=XXXXXXX,DC=XXXX,DC=XX" ] }

Thanks for the reply.

[xavierfleury]

Also have you confirmed that your acr.cer is in PEM format?

My certificate is in pem format, it starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----

[xavierfleury]

hello, When the starts the command , echo | openssl s_client -connect xxxxxxxxxxxxx.xxxx.xx:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt il me renvoie bien Vérification: OK Thanks in advance.

[xavierfleury]

Excuse me, how to make an ldapsearch quetet on awx-web pod to validate ldaps connection thanks in advance

[xavierfleury]

I just remembered, that I was able to authenticate our Active Directory by LDAPS through the rundeck client, thanks in advance.

[kurokobo]

Thanks for updating.

echo | openssl s_client -connect xxxxxxxxxxxxx.xxxx.xx:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt

Is this invoked inside the awx-web container, right? Is there anything wrong with the lines other than Verification: OK?

how to make an ldapsearch quetet on awx-web pod to validate ldaps connection

It's a hard way, so first ensure ldapsearch works on newly created pod:

# Launch new pod of CentOS Stream 9 named `ldaps-debug` with root privilege
$ kubectl -n awx run ldaps-debug --restart=Never -it --rm --image=quay.io/centos/centos:stream9
...
[root@ldaps-debug /]#

Open another terminal, then copy your PEM file into this pod:

# Copy your PEM into the /tmp inside the pod
$ kubectl -n awx cp /path/to/your/local/pem/file/acr.cer ldaps-debug:/tmp

Go back to the first terminal and ensure the file is available in the pod, and install openldap-clients.

[root@ldaps-debug /]# ls -l /tmp
total 4
-rw-rw-r--. 1 1000 1000 1237 Feb 13 12:41 acr.cer

[root@ldaps-debug /]# dnf install -y openldap-clients
...
Installed:
  openldap-clients-2.6.6-1.el9.x86_64                                        

Complete!

Now you can do everything you want such as ldapsearch with your PEM file:

[root@ldaps-debug /]# LDAPTLS_CACERT=/tmp/acr.cer ldapsearch ...

Note, this pod will be completely removed after you invoke exit in the pod.

[root@ldaps-debug /]# exit
exit
pod "ldaps-debug" deleted
$

[xavierfleury]

Thanks for the quick and accurate answer, I'll get back to you as soon as possible for the ldapsearch search

Here are the OpenSSL logs,

echo | openssl s_client -connect ***:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt CONNECTED(00000003) depth=2 CN = *, OU = * ***, O = ***, C = * verify return:1 depth=1 CN = ****, OU = **, O = *****, C = * verify return:1 depth=0 CN = *, OU = **, O = *, C = **** verify return:1

Certificate chain 0 s:CN = c**** i:CN = *, OU = ****, O = ***, C = * a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA512 v:NotBefore: Oct 5 14:56:45 2023 GMT; NotAfter: Oct 5 14:56:45 2026 GMT 1 s:CN = ***, OU = ***, O = **, C = * i:CN = , OU = , O = ***, C = ** a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA512 v:NotBefore: Mar 31 12:06:52 2023 GMT; NotAfter: Mar 30 12:06:52 2033 GMT

Server certificate -----BEGIN CERTIFICATE-----

-----END CERTIFICATE----- subject=CN = *****, OU = 0002 110010014, O = *, C = issuer=CN = ****, OU = 0002 110010014, O = *****, C = *

... omit ... ... omit ... ... omit ... ... omit ... ... omit ... ... omit ... ... omit ...

SSL handshake has read 4159 bytes and written 464 bytes Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 36250000F11B89DFDBE7716FA194E427E0C909452661E950CD8EB088A58A02D4 Session-ID-ctx: Master-Key: C7A844855337F0223EB73A91C0FCCE1345A8C86C569CC7125246E5B05F01BDBF2600A81C49CCA1EE81828B1E8AF6AF1C PSK identity: None PSK identity hint: None SRP username: None Start Time: 1707830416 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes

DONE

[kurokobo]

F.Y.I., you can wrap your code block with the line that have three back quotes. This is useful to paste logs, files, etc.

Example:

this is the code block!

Result:

this is the code block!

[xavierfleury]

thanks

[xavierfleury]

I just did the test with ldapsearch, at the temporary pod level, thanks again. I have a success in return, I see all the objects of my research organizational unit.

Is there a parameter that needs to be set up at the AWX level for authentication to be effective? Thanks in advance.

[xavierfleury]

My AWX server is behind a proxy

[xavierfleury]

Hello, sorry to bother you, do you want me to send you back the settings of my awx server, thank you for your feedback, thank in advance

[xavierfleury]

Thanks for the quick and accurate answer, I'll get back to you as soon as possible for the ldapsearch search

Here are the OpenSSL logs,

echo | openssl s_client -connect *****************************:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt

CONNECTED(00000003)
depth=2 CN = ***, OU = *** *****, O = *********, C = ***
verify return:1
depth=1 CN = ********, OU = **********, O = ***************, C = ***
verify return:1
depth=0 CN = *******, OU = ******, O = *******, C = ****
verify return:1
Certificate chain
0 s:CN = c********************
i:CN = ***********, OU = ************, O = *****************, C = *****
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA512
v:NotBefore: Oct 5 14:56:45 2023 GMT; NotAfter: Oct 5 14:56:45 2026 GMT
1 s:CN = ***************, OU = ***************, O = **********, C = *****
i:CN = *************, OU = *************, O = ***********, C = **
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA512
v:NotBefore: Mar 31 12:06:52 2023 GMT; NotAfter: Mar 30 12:06:52 2033 GMT
Server certificate
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
subject=CN = *****************************, OU = 0002 110010014, O = *************, C = ****
issuer=CN = ********, OU = 0002 110010014, O = *****************, C = *****
... omit ...
... omit ...
... omit ...
... omit ...
... omit ...
... omit ...
... omit ...
SSL handshake has read 4159 bytes and written 464 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 36250000F11B89DFDBE7716FA194E427E0C909452661E950CD8EB088A58A02D4
Session-ID-ctx:
Master-Key: C7A844855337F0223EB73A91C0FCCE1345A8C86C569CC7125246E5B05F01BDBF2600A81C49CCA1EE81828B1E8AF6AF1C
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1707830416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
DONE

Maybe it's more readable for you!!

[xavierfleury]

Hello, I just solved my problem, starting from a valid image and I redid the steps you gave in "Trust.....", thanks to you for all your info.

[kurokobo]

Ah sorry for my delayed response, I was abount to start deploying new lab to reproduce your issue. The root cause remains unknown, but I'm glad to hear that your issue has gone, thanks for updating. Have fun with AWX 😃

[xavierfleury]

thank you for the feedback, too nice for the lab, have a good day