search

redhat-cop / infra-ansible

Tooling / Ansible to support the many aspects of infrastructure installation, setup and configuration.
Apache License 2.0
215 stars 120 forks source link

Ansible Tower LDAP member_attr error #652

Closed MAHDTech closed 3 years ago

MAHDTech commented 3 years ago

What does this PR do?

Removes the member_attr field from the template (which is added by default) by only specifying name_attr.

How should this be tested?

Run Ansible role

Is there a relevant Issue open for this?

N/A

Other Relevant info, PRs, etc.

The error received without this is as follows.

lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,474 WARNING  awx.conf.settings The current value "{'name_attr': 'cn', 'member_attr': 'member'}" for setting "AUTH_LDAP_GROUP_TYPE_PARAMS" is invalid.
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: Traceback (most recent call last):
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/awx/conf/settings.py", line 419, in _get_local
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     return field.run_validation(value)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/rest_framework/fields.py", line 568, in run_validation
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     value = self.to_internal_value(data)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/awx/sso/fields.py", line 510, in to_internal_value
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     self.fail('invalid_keys', invalid_keys=keys_display)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/rest_framework/fields.py", line 641, in fail
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     raise ValidationError(message_string, code=key)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: rest_framework.exceptions.ValidationError: [ErrorDetail(string='Invalid key(s): "member_attr".', code='invalid_keys')]
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,745 INFO     awx.api.authentication User admin performed a PUT to /api/v2/settings/ldap/ through the API
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,838 WARNING  awx.main.wsbroadcast Adding {'ansible-tower-6999b4886f-9htqp'} to websocket broadcast list
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,846 DEBUG    awx.main.wsbroadcast Connection from ansible-tower-68cc697696-4xl6f to 10.217.1.64 attempt number 0.

There are several documented workarounds and fixes, and some of the tests I completed results in errors such as;

# GroupOfNames OR MemberDNGroupType when member_attr field is included
lodestar-ansible-tower/ansible-tower-55b98b4594-kqmt9[ansible-tower-web]: 2021-10-12 04:47:52,209 DEBUG    django_auth_ldap uid=developer,cn=users,cn=accounts,dc=apps-crc,dc=testing is not a member of cn=lodestar-mgmt-users,cn=groups,cn=accounts,dc=apps-crc,dc=testing
lodestar-ansible-tower/ansible-tower-55b98b4594-kqmt9[ansible-tower-web]: 2021-10-12 04:47:52,209 DEBUG    django_auth_ldap Authentication failed for developer: user does not satisfy AUTH_LDAP_REQUIRE_GROUP

Removal of the member_attr field in conjunction with using GroupOfNamesType was the only pair that both allowed login and no errors appeared in the logs when tested with with FreeIPA v4.6.8

Other

People to notify

cc: @redhat-cop/infra-ansible