LDAP authentication not working.
482 views
Skip to first unread message
Michael Kelly
Mar 8, 2023, 10:18:10 AM3/8/23
to AWX Project
AWX 21.12.0 in a k3s cluster.
I'm trying to configure AWX to authenticate users using LDAP.
I've added the LDAP details to AWX and AWX is not complaining about any of them.
However, when I try to login using a username that I know can be authenticated in LDAP, I can see no attempt to contact the LDAP server.
How can I debug this?
Thanks.
Nicholas Tripp
Mar 8, 2023, 11:44:09 AM3/8/23
to AWX Project
usually the error is output in the awx_web container logs. what does it say there?
RedCrick
Mar 8, 2023, 10:39:56 PM3/8/23
to AWX Project
I had trouble getting OpenLDAP to work with AWX too (turned out I was wrong about the password) but I hope this helps:
Trouble Shooting LDAP Authentication with Ansible AWX
3) Check the secure connection to the LDAP server
If you are having trouble getting your AWX deployment to preform authentication with LDAP you might want to make sure that the container that runs the AWX web server can talk to the LDAP server over a encrypted connection. To do this follow these steps:
1) List your AWX pods like so:kubectl -n awx get pods
You are looking for the pod that has the 4 containers. In my case this is pod, awx-demo-8ded6678-gk322.
2) "exec" onto the awx-demo-web container like so:kubectl -n awx exec -it awx-demo-8ded6678-gk322 -c awx-demo-web -- /bin/bash
3) Check the secure connection to the LDAP server
From the bash prompt on the container execute:
echo | openssl s_client -connect ldap.example.com:636
Check the output. Are you getting output? You can check the dates on the certificate like so:
echo | openssl s_client -connect ldap.example.com:636 2> /dev/null | openssl x509 -noout -dates
Michael Kelly
Mar 9, 2023, 4:18:50 PM3/9/23
to AWX Project
The container can connect to the ldap server (a Debian 10 VM running ns-slapd)
bash-5.1$ echo | openssl s_client -connect <ldap-fqdn>:636 2>/dev/null | openssl x509 -noout -dates
notBefore=Jan 9 00:00:00 2023 GMT
notAfter=Jan 14 23:59:59 2024 GMT
bash-5.1$
notBefore=Jan 9 00:00:00 2023 GMT
notAfter=Jan 14 23:59:59 2024 GMT
bash-5.1$
I found this is the logs
Traceback (most recent call last):
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/backends.py", line 119, in authenticate
raise ImproperlyConfigured("{} must be an {} instance.".format(setting_name, type_))
django.core.exceptions.ImproperlyConfigured: GROUP_SEARCH must be an LDAPSearch instance.
ERROR:awx.sso.backends:Encountered an error authenticating to LDAP
File "/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/backends.py", line 119, in authenticate
raise ImproperlyConfigured("{} must be an {} instance.".format(setting_name, type_))
django.core.exceptions.ImproperlyConfigured: GROUP_SEARCH must be an LDAPSearch instance.
ERROR:awx.sso.backends:Encountered an error authenticating to LDAP
I don't have a group search defined but AWX doesn't complain when I save a configuration with an empty group search list.
Is that a bug?
Imagine the following:
Company: example.com
AWX server: awx.example.com
LDAP server: ldap.example.com
What would be the LDAP configuration to authenticate users in
dn: cn= AWX Users,ou=Groups,dc=example,dc=com
Thanks.
RedCrick
Mar 9, 2023, 4:49:45 PM3/9/23
to AWX Project
I used:
- "LDAP Group Type" to PosixGroupType
Trouble shooting AWX LDAP Authentication Issue
I have a K3s cluster and I set up my AWX server by installing awx-operator. I also have an OpenLDAP server. My OpenLDAP server has a signed valid TLS Cert and works fine.
Next I log on to my AWX server as the 'admin' user.
You get the password for this account by executing:
kubectl get secret awx-demo-admin-password -o jsonpath={.data.password} | base64 --decode
I navigate to "Settings > LDAP Default" and filled out the form. Set:
- "LDAP Server URI" to my ldap server ldaps://ldap.example.com.
- "LDAP Bind DN" to cn=Manager,dc=example,dc=com
- "LDAP Bind Password" to the correct password you would use with `ldapsearch`.
- "LDAP Group Type" to PosixGroupType
- "LDAP User Search" to ["ou=users,dc=example,dc=com","SCOPE_SUBTREE","(uid=%(user)s)"]
- "LDAP Group Search" to ["OU=Groups,dc=example,dc=com","SCOPE_SUBTREE","(objectClass=posixGroup)"]
Everything else leave as default. Note: Of course I used my actual domain name and NOT example.com.
Then I tried to log into the AWX UI with my LDAP user account but couldn't log in. I spent days reading documentation and try things. I even accidentally locked my admin account out by clicking on "Disable the built-in authentication system" Off link. DO NOT DO THAT! I had to run an update to a table in the postgresql database to fix that.
Here is how I finally came to realize that I was entering the wrong password.
I would "tail" the log of the "awx-demo-web" container with this command:
kubectl -n awx get pods
...
kubectl -n logs -f awx-demo-9aidd-gk6dy awx-demo-web
...
and you will see messages like:
WARNING ... awx.api.generics Login failed for user red.cricket from 10.0.0.5
WARNING ... django.request Unauthorized: /api/login/
WARNING ... django.request Unauthorized: /api/login/
But nothing that will tell you why the login failed. To see why you need to change the logging level on the AWX server to DEBUG. And to do that you navigate to "Settings > Logging" and click the Edit button, then change the "Logging Aggregator Level Threshold"to "DEBUG".
Then when you attempt to login with the wrong password you will see this output in the logs:
DEBUG ... django_auth_ldap search_s(...) returned 1 objects: uid=red.cricket...
DEBUG ... django_auth_ldap Authentication failed for red.cricket: user DN/password rejected by LDAP server.
Once you have figured out what is wrong and how to correct it be sure change the logging level back to INFO.
Michael Kelly
Mar 10, 2023, 11:07:48 AM3/10/23
to AWX Project
My bad.
I had enabled TLS when I shouldn't have.
Thanks for the help.
Reply all
Reply to author
Forward
0 new messages