I’m trying to use LDAP authentication to connect to AD. I want to use TLS (configure awx → subcategory: ldap → ‘ldap start tls’), but I need to add the CACert for the AD server.
If AWX weren’t docker’ized, I’d add it in /etc/openldap/certs, but with docker, I have no idea where/how to add the cert. Any ideas?
Paul
In this case, until we support it at a higher level, you may need to rebuild the image with your cert installed.
OK, so this may not be the best forum, but see earlier comment re: “no idea where/how to add the cert.” Or to put it another way, if I were to rebuild the image (which image? awx_web? awx_task?), where would the certs go in the overall directory structure of the build files, and what else would I have to modify?
Thanks,
Paul
It probably just needs to be added to the web container. I’ll point out that our task container image is built with the web container image as a base so it would just be picked up by that.
You can see a little bit about how we add files to the image itself here:
https://github.com/ansible/awx/blob/devel/installer/image_build/templates/Dockerfile.j2#L24-L25
So maybe it just needs to be put in the right location there? I’m not entirely certain.
An ideal code level solution would be take to be able to take it as a configuration option, you can see how we register them here:
https://github.com/ansible/awx/blob/devel/awx/main/conf.py
Which uses our conf app located here: https://github.com/ansible/awx/tree/devel/awx/conf
To register them and present them through our api.
You could then manage the content of the cert in our sso backend to make sure it was available to the LDAP authentication backend here:
https://github.com/ansible/awx/blob/devel/awx/sso/backends.py
Come to think of it, some of these settings that we already have might help you instead of doing all this: https://github.com/ansible/awx/blob/devel/awx/sso/backends.py#L89-L94
I’m just not sure right at this very moment and haven’t had a chance to dig into this bit much.
Paul, I have a similar requirement. Have you had any luck?
installer/image_build/templates/Dockerfile.j2
RUN mkdir -p /etc/openldap/certs ADD key3.db /etc/openldap/certs ADD cert8.db /etc/openldap/certs
installer/image_build/tasks/main.yml
`
name: Stage openldap key
copy:
src: key3.db
dest: ‘{{ docker_base_path }}’
delegate_to: localhost
name: Stage openldap cert
copy:
src: cert8.db
dest: ‘{{ docker_base_path }}’
delegate_to: localhost
`
Add your cert and key files to awx/installer/image_build/files/
Yeah I’ve been playing with it as well and come to roughly the same steps. However now I’m running into what seems like a bug.
I want to specify a non-FQDN host name for my LDAP server:
ldaps://ldap:636
Whenever I try to save this in the GUI, it just…doesn’t. If you don’t specify a hostname with a “.”, the update results in a 400 error:
`
10.255.255.10 - - [31/Oct/2017:15:49:32 +0000] “PATCH /api/v2/settings/all/ HTTP/1.1” 400 57 “http://server/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36” “-”
`
I’ve opened a bug report for it:
I am using awx 11.x. I am looking for same option to upload ssl cert in awx container. do we still need to create image for awx-web to port it?
Can we use config map to make very available to aws-web container