AWX LDAPS authentication - disable REQUIRE CERT

Skip to first unread message

Joe Jones

Nov 26, 2022, 1:16:28 AM11/26/22
to AWX Project

Running AWX 21.9 with operator 1.1.0 on K3s.

Active Directory LDAP authentication works fine, Active Directory LDAPS does not.
I have set the ldap_cacert_secret ldap-ca.crt and bundle_cacert_secret bundle-ca.crt.
The ldap-ca.crt was successfully implemented in the awx-web container, I used openssl to verify.

Within the awx-web container, I test with openssl using the AD CA cert and I get this error.
Verification error: EE certificate key too weak
Similarly, from the box hosting the k3s instance I get the same error.
In addition, from the box hosting the  k3s instance, I am unable to connect using the AD CA cert using ldapsearch. However, if I set TLS_REQCERT to Never, the connection succeeds with ldapsearch. From other older boxes, I do not get this EE certificate key too weak, openssl and ldapsearch work fine with the AD CA cert.

I believe the problem is with the AD CA cert having a weak key causing an inability to verify the SSL connection. The awx-web container has this setting by default. ldap.OPT_X_TLS_REQUIRE_CERT:True.
So what I want to do is set either of these.  ldap.OPT_X_TLS_REQUIRE_CERT:ldap.OPT_X_TLS_NEVER
I have tried both by updating under the awx-operator installer role however it has no effect, I am certain it is because this is the wrong location.

Can you all help me to set TLS_REQ_CERT to Never within awx-web?


AWX Project

Dec 9, 2022, 1:52:09 PM12/9/22
to AWX Project
Can you try going to api/v2/settings/ldap and look at the option AUTH_LDAP_CONNECTION_OPTIONS. You may be able to set OPT_* options in that field (using the little form at the bottom of the settings page). Please let us know if can set that setting and, if so, if that works for you or not.

-The AWX Team

Joe Jones

Jan 1, 2023, 10:51:33 PMJan 1
to AWX Project
Hello, thank you for the reply

I set the option under api/v2/settings/ldap

          "OPT_REFERRALS": 0",
          "OPT_NETWORK_TIMEOUT": 30

It does not work unfortunately.
Do you know how I can look at any logging to find the cause of the error?

Joe Jones

Jan 2, 2023, 12:58:16 PMJan 2
to AWX Project

The setting required was NEWCTX, I saw some Reddit threads mentioning it and the below is actually referenced in the ldap

Thanks for your help

AWX Project

Jan 4, 2023, 2:45:44 PMJan 4
to AWX Project
thanks for the followup!
Reply all
Reply to author
0 new messages