AD/LDAP cert needed for authentication

[Paul Archer]

I'm trying to use LDAP authentication to connect to AD. I want to use TLS (configure awx -> subcategory: ldap -> 'ldap start tls'), but I need to add the CACert for the AD server.
If AWX weren't docker'ized, I'd add it in /etc/openldap/certs, but with docker, I have no idea where/how to add the cert. Any ideas?

Paul

[Matthew Jones]

In this case, until we support it at a higher level, you may need to rebuild the image with your cert installed.

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.
To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/777586f5-8881-494c-962d-a5d8c88d3c16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Jones

Principal Software Engineer

Ansible Tower

[Paul Archer]

OK, so this may not be the best forum, but see earlier comment re: "no idea where/how to add the cert." Or to put it another way, if I were to rebuild the image (which image? awx_web? awx_task?), where would the certs go in the overall directory structure of the build files, and what else would I have to modify?

Thanks,

Paul

On Tuesday, October 10, 2017 at 1:20:52 PM UTC-5, Matthew Jones wrote:

In this case, until we support it at a higher level, you may need to rebuild the image with your cert installed.

On Tue, Oct 10, 2017 at 1:40 PM, Paul Archer <geek...@gmail.com> wrote:

I'm trying to use LDAP authentication to connect to AD. I want to use TLS (configure awx -> subcategory: ldap -> 'ldap start tls'), but I need to add the CACert for the AD server.
If AWX weren't docker'ized, I'd add it in /etc/openldap/certs, but with docker, I have no idea where/how to add the cert. Any ideas?

Paul

--
You received this message because you are subscribed to the Google Groups "AWX Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.

To post to this group, send email to awx-p...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/777586f5-8881-494c-962d-a5d8c88d3c16%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Jones]

It probably just needs to be added to the web container. I'll point out that our task container image is built with the web container image as a base so it would just be picked up by that.

You can see a little bit about how we add files to the image itself here:

https://github.com/ansible/awx/blob/devel/installer/image_build/templates/Dockerfile.j2#L24-L25

So maybe it just needs to be put in the right location there? I'm not entirely certain.

An ideal code level solution would be take to be able to take it as a configuration option, you can see how we register them here:

https://github.com/ansible/awx/blob/devel/awx/main/conf.py

Which uses our conf app located here: https://github.com/ansible/awx/tree/devel/awx/conf

To register them and present them through our api.

You could then manage the content of the cert in our sso backend to make sure it was available to the LDAP authentication backend here:

https://github.com/ansible/awx/blob/devel/awx/sso/backends.py

Come to think of it, some of these settings that we already have might help you instead of doing all this: https://github.com/ansible/awx/blob/devel/awx/sso/backends.py#L89-L94

I'm just not sure right at this very moment and haven't had a chance to dig into this bit much.

To unsubscribe from this group and stop receiving emails from it, send an email to awx-project+unsubscribe@googlegroups.com.

To post to this group, send email to awx-p...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/1b71d257-cce9-4395-a091-fd5a96f2bbd5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Cody John]

Paul, I have a similar requirement.   Have you had any luck?

[Paul Archer]

installer/image_build/templates/Dockerfile.j2

RUN mkdir -p /etc/openldap/certs
ADD  key3.db /etc/openldap/certs
ADD cert8.db /etc/openldap/certs

installer/image_build/tasks/main.yml

- name: Stage openldap key
  copy:
    src: key3.db
    dest: '{{ docker_base_path }}'
  delegate_to: localhost

- name: Stage openldap cert
  copy:
    src: cert8.db
    dest: '{{ docker_base_path }}'
  delegate_to: localhost

Add your cert and key files to awx/installer/image_build/files/

[Cody John]

Yeah I've been playing with it as well and come to roughly the same steps.  However now I'm running into what seems like a bug.

I want to specify a non-FQDN host name for my LDAP server: 

ldaps://ldap:636

Whenever I try to save this in the GUI, it just...doesn't.   If you don't specify a hostname with a ".", the update results in a 400 error:

10.255.255.10 - - [31/Oct/2017:15:49:32 +0000] "PATCH /api/v2/settings/all/ HTTP/1.1" 400 57 "http://server/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" "-"

--

Cody

[Cody John]

I've opened a bug report for it:

https://github.com/ansible/awx/issues/537

[Selvam Elangovan]

I am using awx 11.x.  I am looking for same option to upload ssl cert in awx container. do we still need to create image for awx-web to port it?

[Selvam Elangovan]

Can we use config map to make very available to aws-web container

--

You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/77671542-9b98-457d-a183-ce48a7d7f638%40googlegroups.com.