AWX LDAPS authentication - disable REQUIRE CERT

63 views
Skip to first unread message

Joe Jones

unread,
Nov 26, 2022, 1:16:28 AM11/26/22
to AWX Project
Hello,

Running AWX 21.9 with operator 1.1.0 on K3s.

Active Directory LDAP authentication works fine, Active Directory LDAPS does not.
I have set the ldap_cacert_secret ldap-ca.crt and bundle_cacert_secret bundle-ca.crt.
The ldap-ca.crt was successfully implemented in the awx-web container, I used openssl to verify.

Within the awx-web container, I test with openssl using the AD CA cert and I get this error.
Verification error: EE certificate key too weak
Similarly, from the box hosting the k3s instance I get the same error.
In addition, from the box hosting the  k3s instance, I am unable to connect using the AD CA cert using ldapsearch. However, if I set TLS_REQCERT to Never, the connection succeeds with ldapsearch. From other older boxes, I do not get this EE certificate key too weak, openssl and ldapsearch work fine with the AD CA cert.

I believe the problem is with the AD CA cert having a weak key causing an inability to verify the SSL connection. The awx-web container ldap.py has this setting by default. ldap.OPT_X_TLS_REQUIRE_CERT:True.
So what I want to do is set either of these.  ldap.OPT_X_TLS_REQUIRE_CERT:ldap.OPT_X_TLS_NEVER
OR
 ldap.OPT_X_TLS_REQUIRE_CERT:Never.
I have tried both by updating ldap.py.j2 under the awx-operator installer role however it has no effect, I am certain it is because this is the wrong location.

Can you all help me to set TLS_REQ_CERT to Never within awx-web?

Thanks



AWX Project

unread,
Dec 9, 2022, 1:52:09 PM12/9/22
to AWX Project
Can you try going to api/v2/settings/ldap and look at the option AUTH_LDAP_CONNECTION_OPTIONS. You may be able to set OPT_* options in that field (using the little form at the bottom of the settings page). Please let us know if can set that setting and, if so, if that works for you or not.

-The AWX Team

Joe Jones

unread,
Jan 1, 2023, 10:51:33 PMJan 1
to AWX Project
Hello, thank you for the reply

I set the option under api/v2/settings/ldap

"AUTH_LDAP_CONNECTION_OPTIONS": {
          "OPT_REFERRALS": 0",
          "OPT_X_TLS_REQUIRE_CERT": "OPT_X_TLS_NEVER",
          "OPT_NETWORK_TIMEOUT": 30

It does not work unfortunately.
Do you know how I can look at any logging to find the cause of the error?

Joe Jones

unread,
Jan 2, 2023, 12:58:16 PMJan 2
to AWX Project

The setting required was NEWCTX, I saw some Reddit threads mentioning it and the below is actually referenced in the ldap constants.py.


Thanks for your help

AWX Project

unread,
Jan 4, 2023, 2:45:44 PMJan 4
to AWX Project
thanks for the followup!
Reply all
Reply to author
Forward
0 new messages