Question on Configuring multiple ldap user search using awx.awx.tower_settings

219 views
Skip to first unread message

rakesh boinapally

unread,
May 24, 2022, 7:43:12 AM5/24/22
to AWX Project
Hello Team,

I have ansible playbook that uses module awx.awx.tower_settings  to do AUTH_LDAP_USER_SEARCH.I'm trying to configure two ldap_user_search
some thing like this OU=employees,OU=users,OU=,DC=,DC=,DC=com and 
OU=employees,OU=users,OU=,DC=,DC=comcast,DC=com but its not accepting the settings is it possible to add multiple user searches.

Thanks,
Rakesh Boinapally

AWX Project

unread,
Jun 2, 2022, 12:25:09 PM6/2/22
to AWX Project
In the help bubble for user search it says: "If multiple search queries need to be supported use of "LDAPUnion" is possible. See the documentation for details".
The docs being referred to are located at https://docs.ansible.com/automation-controller/latest/html/administration/ldap_auth.html
If you search for LDAP USER SEARCH on that page and then scroll down a tad there is a note that says:
For multiple search queries, the proper syntax is:
[
  [
  "OU=Users,DC=northamerica,DC=acme,DC=com",
  "SCOPE_SUBTREE",
  "(sAMAccountName=%(user)s)"
  ],
  [
  "OU=Users,DC=apac,DC=corp,DC=com",
  "SCOPE_SUBTREE",
  "(sAMAccountName=%(user)s)"
  ],
  [
  "OU=Users,DC=emea,DC=corp,DC=com",
  "SCOPE_SUBTREE",
  "(sAMAccountName=%(user)s)"
  ]


Give that syntax a try and let us know if that works for you.

-John

rakesh boinapally

unread,
Jun 3, 2022, 1:17:51 AM6/3/22
to AWX Project
I'm looking more around how can i add multiple ldap user search through awx.awx.tower_settings ansible module.
I did try to add it but had issues.

AWX Project

unread,
Jun 9, 2022, 9:50:12 AM6/9/22
to AWX Project
Ah, I usually have a hard time representing arrays of arrays in yml format myself so I tend to use json format like:

    - awx.awx.settings:
        settings:
          AUTH_LDAP_USER_SEARCH: [
            [ "OU=Users,DC=northamerica,DC=acme,DC=com", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)" ],


            [ "OU=Users,DC=apac,DC=corp,DC=com", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)" ],
            [ "OU=Users,DC=emea,DC=corp,DC=com", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)" ]
          ]


Let us know if that works for you.

-John

rakesh boinapally

unread,
Jun 10, 2022, 3:50:58 AM6/10/22
to AWX Project
Tried this its not accepting at the syntax level only 

AWX Project

unread,
Jun 10, 2022, 5:39:47 AM6/10/22
to AWX Project
What is the error you are getting? And what version of Ansible/AWX are you using?

-John

rakesh boinapally

unread,
Jun 10, 2022, 5:45:57 AM6/10/22
to AWX Project
Following is the error that I'm receiving.
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
  did not find expected key

The error appears to be in '/home/rakeshcomcast/awx-testing/awx-deployer/awx-configure.yml': line 110, column 10, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

      AUTH_LDAP_USER_SEARCH:[
       ["OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)"],
         ^ here

Following is the ansible version ansible [core 2.12.6]

AWX Project

unread,
Jun 10, 2022, 5:53:44 AM6/10/22
to AWX Project
Do you have a space between AUTH_LDAP_USER_SEARCH: and the opening 'square bracket?
If not that could be the issue.

If so, I am on ansible 2.9 and I don't have a problem with the OU line you have above. Could you try sending the entire task (masking out anything private)?
Sometimes the line/column number point to the wrong place if the error is syntax related.

-John

rakesh boinapally

unread,
Jun 10, 2022, 6:29:52 AM6/10/22
to awx-p...@googlegroups.com
Tried that option to below is the exact one still having same error

      AUTH_LDAP_USER_SEARCH: [
       [ "OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)" ]
       [ "OU=employees,OU=users,OU=india,DC=apac,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)" ]
      ]

--
You received this message because you are subscribed to a topic in the Google Groups "AWX Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/awx-project/-Qf6K2C_VOw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/b99a68b5-67b8-4067-844c-306e37d50605n%40googlegroups.com.

AWX Project

unread,
Jun 10, 2022, 6:32:21 AM6/10/22
to AWX Project
There is a , missing at the end of the first OU line. It should be:


      AUTH_LDAP_USER_SEARCH: [
       [ "OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)" ],
       [ "OU=employees,OU=users,OU=india,DC=apac,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)" ]
      ]

Let me know if that resolves the issue.

rakesh boinapally

unread,
Jun 10, 2022, 6:36:02 AM6/10/22
to awx-p...@googlegroups.com
Sorry some how i deleted added that , back and still having same error
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
  did not find expected key

The error appears to be in '/home/rakeshcomcast/awx-testing/awx-deployer/awx-configure.yml': line 110, column 10, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

      AUTH_LDAP_USER_SEARCH: [
       ["OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)"],
         ^ here

      AUTH_LDAP_USER_SEARCH: [
       ["OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)"],
       ["OU=employees,OU=users,OU=india,DC=apac,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)"]
      ]
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0b948648-c6ae-40e6-bc70-b55fbe4016d3n%40googlegroups.com.

rakesh boinapally

unread,
Jun 10, 2022, 6:37:22 AM6/10/22
to awx-p...@googlegroups.com
I also saw some thing like this in following article https://django-auth-ldap.readthedocs.io/en/latest/authentication.html

import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch("ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"),
    LDAPSearch("ou=otherusers,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"),
)
Is it possible to use above syntax in ansible awx.awx.settings

awx release

unread,
Jun 10, 2022, 8:57:43 AM6/10/22
to AWX Project
That last code snippet is python and can't be used directly by the module in an ansible playbook, the module would have to be altered in order to use something like that.

However, the module seems to be able to already handle this Here is my sample playbook that works for me:

---
- name: Set multiple LDAP user search
  hosts: localhost
  connection: local
  gather_facts: False
  tasks:
    - awx.awx.settings:
        settings:


          AUTH_LDAP_USER_SEARCH: [
            [ "OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)" ],
            [ "OU=employees,OU=users,OU=india,DC=apac,DC=comcast,DC=com","SCOPE_SUBTREE","(sAMAccountName=%(user)s)" ]
          ]

        controller_host: https://<my server>:8043
        controller_username: <my user>
        controller_password: <my password>
        validate_certs: False

Here is the output from ansible-playbook my_test_playbook.yml:

    [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

    PLAY [Set multiple LDAP user search] **********************************************************************************************************************************************************************************************************************************************************

    TASK [awx.awx.settings] ***********************************************************************************************************************************************************************************************************************************************************************
    [WARNING]: You are running collection version 0.0.1-devel but connecting to AWX version 21.0.1.dev120+ge7514e4547.d20220518
    changed: [localhost]

    PLAY RECAP ************************************************************************************************************************************************************************************************************************************************************************************
    localhost                  : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Maybe try just filling in the missing pieces (<my server>, <my user>, <my password>) and see if this sample helps? If not I'm afraid I'm out of ideas. As I mentioned before, sometimes when ansible references a specific line/column number its not quite accurate. Maybe there is an error somewhere else in your playbook?


-John

Reply all
Reply to author
Forward
0 new messages