Closed xavierfleury closed 7 months ago
Edited to markup code blocks
@xavierfleury Hi, thanks for using my guide.
Could you provide how you've configured LDAP configuration on AWX?
Also have you confirmed that your acr.cer
is in PEM format, and LDAP over SSL works from other clients instead of AWX?
I mean, we should to know which is causing this issue, AWX side or LDAP side.
hi, Thanks for the reply, Here is my conf in AWX: LDAP server uri : ldaps://xxxx.xx.xxx.xx:686 ldap group type : MemberDNGroupType TLS disabled ldap bind dn et ldap bind password configured ldap user search: "OU=XXX,OU=XXX-XXXX,OU=XX,OU=XXXXXXX,OU=XXXXXXXXXXX,DC=XXXXXXXXX,DC=XXXXXX,DC=XX", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)"
et ldap group search [ "OU=XXX,OU=XXX-XXXX,OU=XX,OU=XXXXXXX,OU=XXXXXXXXXXX,DC=XXXXXXXXX,DC=XXXXXX,DC=XX", "SCOPE_SUBTREE", "(objectClass=group)" ]
LDAP USER FLAGS BY GROUP
{ "is_superuser": [ "CN=XXXXXX,OU=XX,OU=XXXXXX,OU=XXXXXX,OU=X,OU=XXXXXX,DC=XXXXXXX,DC=XXXX,DC=XX" ], "is_system_auditor": [ "CN=XXXXXX,OU=XX,OU=XXXXXX,OU=XXXXXX,OU=X,OU=XXXXXX,DC=XXXXXXX,DC=XXXX,DC=XX" ] }
Thanks for the reply.
Also have you confirmed that your acr.cer is in PEM format?
My certificate is in pem format, it starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----
hello, When the starts the command , echo | openssl s_client -connect xxxxxxxxxxxxx.xxxx.xx:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt il me renvoie bien Vérification: OK Thanks in advance.
Excuse me, how to make an ldapsearch quetet on awx-web pod to validate ldaps connection thanks in advance
I just remembered, that I was able to authenticate our Active Directory by LDAPS through the rundeck client, thanks in advance.
Thanks for updating.
echo | openssl s_client -connect xxxxxxxxxxxxx.xxxx.xx:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt
Is this invoked inside the awx-web
container, right? Is there anything wrong with the lines other than Verification: OK
?
how to make an ldapsearch quetet on awx-web pod to validate ldaps connection
It's a hard way, so first ensure ldapsearch
works on newly created pod:
# Launch new pod of CentOS Stream 9 named `ldaps-debug` with root privilege
$ kubectl -n awx run ldaps-debug --restart=Never -it --rm --image=quay.io/centos/centos:stream9
...
[root@ldaps-debug /]#
Open another terminal, then copy your PEM file into this pod:
# Copy your PEM into the /tmp inside the pod
$ kubectl -n awx cp /path/to/your/local/pem/file/acr.cer ldaps-debug:/tmp
Go back to the first terminal and ensure the file is available in the pod, and install openldap-clients
.
[root@ldaps-debug /]# ls -l /tmp
total 4
-rw-rw-r--. 1 1000 1000 1237 Feb 13 12:41 acr.cer
[root@ldaps-debug /]# dnf install -y openldap-clients
...
Installed:
openldap-clients-2.6.6-1.el9.x86_64
Complete!
Now you can do everything you want such as ldapsearch
with your PEM file:
[root@ldaps-debug /]# LDAPTLS_CACERT=/tmp/acr.cer ldapsearch ...
Note, this pod will be completely removed after you invoke exit
in the pod.
[root@ldaps-debug /]# exit
exit
pod "ldaps-debug" deleted
$
Thanks for the quick and accurate answer, I'll get back to you as soon as possible for the ldapsearch search
Here are the OpenSSL logs,
Server certificate -----BEGIN CERTIFICATE-----
DONE
F.Y.I., you can wrap your code block with the line that have three back quotes. This is useful to paste logs, files, etc.
Example:
this is the code block!
Result:
this is the code block!
thanks
I just did the test with ldapsearch, at the temporary pod level, thanks again. I have a success in return, I see all the objects of my research organizational unit.
Is there a parameter that needs to be set up at the AWX level for authentication to be effective? Thanks in advance.
My AWX server is behind a proxy
Hello, sorry to bother you, do you want me to send you back the settings of my awx server, thank you for your feedback, thank in advance
Thanks for the quick and accurate answer, I'll get back to you as soon as possible for the ldapsearch search
Here are the OpenSSL logs,
echo | openssl s_client -connect *****************************:636 -no-CAfile -CAfile /etc/openldap/certs/ldap-ca.crt
CONNECTED(00000003)
depth=2 CN = ***, OU = *** *****, O = *********, C = ***
verify return:1
depth=1 CN = ********, OU = **********, O = ***************, C = ***
verify return:1
depth=0 CN = *******, OU = ******, O = *******, C = ****
verify return:1
Certificate chain
0 s:CN = c********************
i:CN = ***********, OU = ************, O = *****************, C = *****
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA512
v:NotBefore: Oct 5 14:56:45 2023 GMT; NotAfter: Oct 5 14:56:45 2026 GMT
1 s:CN = ***************, OU = ***************, O = **********, C = *****
i:CN = *************, OU = *************, O = ***********, C = **
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA512
v:NotBefore: Mar 31 12:06:52 2023 GMT; NotAfter: Mar 30 12:06:52 2033 GMT
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN = *****************************, OU = 0002 110010014, O = *************, C = ****
issuer=CN = ********, OU = 0002 110010014, O = *****************, C = *****
... omit ...
... omit ...
... omit ...
... omit ...
... omit ...
... omit ...
... omit ...
SSL handshake has read 4159 bytes and written 464 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 36250000F11B89DFDBE7716FA194E427E0C909452661E950CD8EB088A58A02D4
Session-ID-ctx:
Master-Key: C7A844855337F0223EB73A91C0FCCE1345A8C86C569CC7125246E5B05F01BDBF2600A81C49CCA1EE81828B1E8AF6AF1C
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1707830416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
DONE
Maybe it's more readable for you!!
Hello, I just solved my problem, starting from a valid image and I redid the steps you gave in "Trust.....", thanks to you for all your info.
Ah sorry for my delayed response, I was abount to start deploying new lab to reproduce your issue. The root cause remains unknown, but I'm glad to hear that your issue has gone, thanks for updating. Have fun with AWX 😃
thank you for the feedback, too nice for the lab, have a good day
Environment
k3s version v1.28.6+k3s2 (c9f49a3b) go version go1.20.13
Description
Unable to connect via LDAPS to K3S/AWX environment, With LDAP this is no problem. Thanks to you for a direction, because I'm really stuck, on the interface, thanks again
Step to Reproduce
Logs
Files
kustomization.yaml
awx.yml