AWX Active Directory LDAP SSL broken certificate verify failed (EE certificate key too weak)
271 views
Skip to first unread message
Gregory Machin
Mar 13, 2023, 4:49:13 PM3/13/23
to AWX Project
Hi,
"AUTH_LDAP_CONNECTION_OPTIONS": {
"OPT_REFERRALS": 0,
"OPT_NETWORK_TIMEOUT": 30,
"OPT_X_TLS_NEWCTX": 0
},
but I still get the same error :
2023-03-13 20:45:21,687 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] django_auth_ldap Caught LDAPError while authenticating clubbing80s: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify failed (EE certificate key too weak)'})
2023-03-13 20:45:21,691 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] awx.api.generics Login failed for user clubbing80s from 10.42.0.145
2023-03-13 20:45:21,698 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] django.request Unauthorized: /api/login/
2023-03-13 20:45:21,698 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] django.request Unauthorized: /api/login/
We are using Active Directory for user authentication, this being configured over ssl on port 636. This was working fine until this last weekend when we installed Defender on the Active Directory and some patching, On Monday AD users couldn't login. In the logs I found
2023-03-13 19:57:05,849 WARNING [861e481d805442c8ae1b3d8e417129e8] django_auth_ldap Caught LDAPError while authenticating clubbing80: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify failed (EE certificate key too weak)'})
2023-03-13 19:57:05,851 WARNING [861e481d805442c8ae1b3d8e417129e8] awx.api.generics Login failed for user clubbing80s from 10.42.0.145
2023-03-13 19:57:05,855 WARNING [861e481d805442c8ae1b3d8e417129e8] django.request Unauthorized: /api/login/
2023-03-13 19:57:05,855 WARNING [861e481d805442c8ae1b3d8e417129e8] django.request Unauthorized: /api/login/
2023-03-13 19:57:05,849 WARNING [861e481d805442c8ae1b3d8e417129e8] django_auth_ldap Caught LDAPError while authenticating clubbing80: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify failed (EE certificate key too weak)'})
2023-03-13 19:57:05,851 WARNING [861e481d805442c8ae1b3d8e417129e8] awx.api.generics Login failed for user clubbing80s from 10.42.0.145
2023-03-13 19:57:05,855 WARNING [861e481d805442c8ae1b3d8e417129e8] django.request Unauthorized: /api/login/
2023-03-13 19:57:05,855 WARNING [861e481d805442c8ae1b3d8e417129e8] django.request Unauthorized: /api/login/
I have searched the history here and found AWX LDAPS authentication - disable REQUIRE CERT (google.com) .
in "/api/v2/settings/ldap/" I have tried to configure the following :
in "/api/v2/settings/ldap/" I have tried to configure the following :
"AUTH_LDAP_CONNECTION_OPTIONS": {
"OPT_REFERRALS": 0,
"OPT_NETWORK_TIMEOUT": 30,
"OPT_X_TLS_NEWCTX": 0
},
but I still get the same error :
2023-03-13 20:45:21,687 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] django_auth_ldap Caught LDAPError while authenticating clubbing80s: SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'error:0A000086:SSL routines::certificate verify failed (EE certificate key too weak)'})
2023-03-13 20:45:21,691 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] awx.api.generics Login failed for user clubbing80s from 10.42.0.145
2023-03-13 20:45:21,698 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] django.request Unauthorized: /api/login/
2023-03-13 20:45:21,698 WARNING [f3ae7128cefd460d9d90a7ac38da60d5] django.request Unauthorized: /api/login/
Please advise on next steps.
Greg
AWX Project
Mar 17, 2023, 1:15:13 PM3/17/23
to AWX Project
Hi!
If you are simply trying to disable cert requirement, your settings should look something like this
"AUTH_LDAP_CONNECTION_OPTIONS": {
"OPT_X_TLS_REQUIRE_CERT": 0,
"OPT_NETWORK_TIMEOUT": 30,
"OPT_X_TLS_NEWCTX": 0,
"OPT_REFERRALS": 0}
Otherwise, seems like a LDAP server configuration issue
AWX Team
Gregory Machin
Mar 26, 2023, 9:58:17 PM3/26/23
to AWX Project
Thank you for the work-a-round.
Reply all
Reply to author
Forward
0 new messages