AWX Authenticating to Windows AD error

Andrew_Meyer1 · September 16, 2019, 6:37pm

Hello,
I am seem to be getting an error when trying to test users logging into AWX from Microsoft AD.

My configuration for LDAP is below

`

{
“AUTH_LDAP_SERVER_URI”: “”,
“AUTH_LDAP_BIND_DN”: “”,
“AUTH_LDAP_BIND_PASSWORD”: “”,
“AUTH_LDAP_START_TLS”: false,
“AUTH_LDAP_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_USER_SEARCH”: ,
“AUTH_LDAP_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_USER_ATTR_MAP”: {},
“AUTH_LDAP_GROUP_SEARCH”: ,
“AUTH_LDAP_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_GROUP_TYPE_PARAMS”: {
“name_attr”: “cn”,
“member_attr”: “member”
},
“AUTH_LDAP_REQUIRE_GROUP”: null,
“AUTH_LDAP_DENY_GROUP”: null,
“AUTH_LDAP_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_ORGANIZATION_MAP”: {},
“AUTH_LDAP_TEAM_MAP”: {},
“AUTH_LDAP_1_SERVER_URI”: “ldap://10.150.10.150:389”,
“AUTH_LDAP_1_BIND_DN”: “CN=ansible1,OU=automation,DC=ad,dc=example,DC=local”,
“AUTH_LDAP_1_BIND_PASSWORD”: “$encrypted$”,
“AUTH_LDAP_1_START_TLS”: false,
“AUTH_LDAP_1_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_1_USER_SEARCH”: ,
“AUTH_LDAP_1_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_1_USER_ATTR_MAP”: {
“first_name”: “givenName”,
“last_name”: “sn”,
“email”: “userPrincipalName”
},
“AUTH_LDAP_1_GROUP_SEARCH”: [
“CN=ansible-tower,OU=Users,DC=ad,DC=example,DC=local”,
“SCOPE_SUBTREE”,
“(objectClass=groupOfNames)”
],
“AUTH_LDAP_1_GROUP_TYPE”: “ActiveDirectoryGroupType”,
“AUTH_LDAP_1_GROUP_TYPE_PARAMS”: {},
“AUTH_LDAP_1_REQUIRE_GROUP”: null,
“AUTH_LDAP_1_DENY_GROUP”: null,
“AUTH_LDAP_1_USER_FLAGS_BY_GROUP”: {
“is_superuser”: [
“cn=ansible-tower,OU=Users,DC=ad,DC=example,DC=local”
]
},
“AUTH_LDAP_1_ORGANIZATION_MAP”: {
“TSG”: {
“users”: [
“CN=ansible-tower-users,CN=Users,DC=ad,DC=example,DC=local”
],
“admins”: [
“CN=ansible-tower-admins,CN=Users,DC=ad,DC=example,DC=local”
],
“remove_users”: false,
“remove_admins”: false
}
},
“AUTH_LDAP_1_TEAM_MAP”: {},
“AUTH_LDAP_2_SERVER_URI”: “”,
“AUTH_LDAP_2_BIND_DN”: “”,
“AUTH_LDAP_2_BIND_PASSWORD”: “”,
“AUTH_LDAP_2_START_TLS”: false,
“AUTH_LDAP_2_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_2_USER_SEARCH”: ,
“AUTH_LDAP_2_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_2_USER_ATTR_MAP”: {},
“AUTH_LDAP_2_GROUP_SEARCH”: ,
“AUTH_LDAP_2_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_2_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_2_REQUIRE_GROUP”: null,
“AUTH_LDAP_2_DENY_GROUP”: null,
“AUTH_LDAP_2_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_2_ORGANIZATION_MAP”: {},
“AUTH_LDAP_2_TEAM_MAP”: {},
“AUTH_LDAP_3_SERVER_URI”: “”,
“AUTH_LDAP_3_BIND_DN”: “”,
“AUTH_LDAP_3_BIND_PASSWORD”: “”,
“AUTH_LDAP_3_START_TLS”: false,
“AUTH_LDAP_3_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_3_USER_SEARCH”: ,
“AUTH_LDAP_3_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_3_USER_ATTR_MAP”: {},
“AUTH_LDAP_3_GROUP_SEARCH”: ,
“AUTH_LDAP_3_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_3_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_3_REQUIRE_GROUP”: null,
“AUTH_LDAP_3_DENY_GROUP”: null,
“AUTH_LDAP_3_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_3_ORGANIZATION_MAP”: {},
“AUTH_LDAP_3_TEAM_MAP”: {},
“AUTH_LDAP_4_SERVER_URI”: “”,
“AUTH_LDAP_4_BIND_DN”: “”,
“AUTH_LDAP_4_BIND_PASSWORD”: “”,
“AUTH_LDAP_4_START_TLS”: false,
“AUTH_LDAP_4_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_4_USER_SEARCH”: ,
“AUTH_LDAP_4_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_4_USER_ATTR_MAP”: {},
“AUTH_LDAP_4_GROUP_SEARCH”: ,
“AUTH_LDAP_4_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_4_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_4_REQUIRE_GROUP”: null,
“AUTH_LDAP_4_DENY_GROUP”: null,
“AUTH_LDAP_4_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_4_ORGANIZATION_MAP”: {},
“AUTH_LDAP_4_TEAM_MAP”: {},
“AUTH_LDAP_5_SERVER_URI”: “”,
“AUTH_LDAP_5_BIND_DN”: “”,
“AUTH_LDAP_5_BIND_PASSWORD”: “”,
“AUTH_LDAP_5_START_TLS”: false,
“AUTH_LDAP_5_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_5_USER_SEARCH”: ,
“AUTH_LDAP_5_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_5_USER_ATTR_MAP”: {},
“AUTH_LDAP_5_GROUP_SEARCH”: ,
“AUTH_LDAP_5_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_5_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_5_REQUIRE_GROUP”: null,
“AUTH_LDAP_5_DENY_GROUP”: null,
“AUTH_LDAP_5_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_5_ORGANIZATION_MAP”: {},
“AUTH_LDAP_5_TEAM_MAP”: {}
}

`

I am getting the following error in the web docker instance.

`

2019-09-16 18:35:13,694 WARNING django_auth_ldap AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance. while authenticating ellen.ripley
2019-09-16 18:35:13,695 ERROR awx.sso.backends Encountered an error authenticating to LDAP
Traceback (most recent call last):
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/awx/sso/backends.py”, line 128, in authenticate
return super(LDAPBackend, self).authenticate(request, username, password)
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/django_auth_ldap/backend.py”, line 150, in authenticate
user = self.authenticate_ldap_user(ldap_user, password)
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/django_auth_ldap/backend.py”, line 210, in authenticate_ldap_user
return ldap_user.authenticate(password)
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/django_auth_ldap/backend.py”, line 348, in authenticate
self._authenticate_user_dn(password)
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/django_auth_ldap/backend.py”, line 471, in _authenticate_user_dn
if self.dn is None:
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/django_auth_ldap/backend.py”, line 436, in dn
self._load_user_dn()
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/django_auth_ldap/backend.py”, line 509, in _load_user_dn
self._user_dn = self._search_for_user_dn()
File “/var/lib/awx/venv/awx/lib64/python3.6/site-packages/django_auth_ldap/backend.py”, line 529, in _search_for_user_dn
raise ImproperlyConfigured(‘AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance.’)
django.core.exceptions.ImproperlyConfigured: AUTH_LDAP_USER_SEARCH must be an LDAPSearch instance.
2019-09-16 18:35:13,939 WARNING awx.api.generics Login failed for user ellen.ripley from 10.150.1.155
2019-09-16 18:35:13,960 WARNING django.request Unauthorized: /api/login/
2019-09-16 18:35:13,960 WARNING django.request Unauthorized: /api/login/

`

Thoughts?

Mike_Charchuk · September 16, 2019, 7:12pm

I have the User search base defined in my config AUTH_LDAP_USER_SEARCH

Andrew_Meyer1 · September 17, 2019, 2:26am

Could you share what you have for your ldap_user_search omitting the sensitive information? Replace it with example.org or something.

Mike_Charchuk · September 17, 2019, 3:31pm

[
“OU=Users,DC=example,DC=com”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
]

Andrew_Meyer1 · September 17, 2019, 3:45pm

That’s what I had at one point. It still complained.

Mike_Charchuk · September 17, 2019, 4:21pm

The only differences from mine

Instead of groupofnames I just use group in the group search.

I do use a auth_ldap_require_group

Auth_ldap_group_type is GroupOfNamesType

Mike_Charchuk · September 17, 2019, 4:25pm

There is a webinar on ldap config.fro ansible tower on the ansible.com site where it told me to make these changes via the api

Change:
“AUTH_LDAP_CONNECTION_OPTIONS”: {
“OPT_NETWORK_TIMEOUT”: 30,
“OPT_REFERRALS”: 0
},
To:
“AUTH_LDAP_CONNECTION_OPTIONS”: {
“OPT_X_TLS_REQUIRE_CERT”: 0,
“OPT_NETWORK_TIMEOUT”: 30,
“OPT_X_TLS_NEWCTX”: 0,
“OPT_REFERRALS”: 0

Andrew_Meyer1 · September 17, 2019, 4:42pm

I added everything you suggested and i’m still getting access denied

Here is my config output from the API browser

`

{
“AUTH_LDAP_SERVER_URI”: “ldap://10.150.10.150:389”,
“AUTH_LDAP_BIND_DN”: “CN=ansible,OU=TSG,DC=ad,DC=example,DC=local”,
“AUTH_LDAP_BIND_PASSWORD”: “$encrypted$”,
“AUTH_LDAP_START_TLS”: false,
“AUTH_LDAP_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30,
“OPT_X_TLS_NEWCTX”: 0,
“OPT_X_TLS_REQUIRE_CERT”: 0
},
“AUTH_LDAP_USER_SEARCH”: [
“OU=TSG,DC=ad,DC=example,DC=local”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
],
“AUTH_LDAP_USER_DN_TEMPLATE”: “uid=(sAMAccountName=%(user)s),OU=TSG,DC=ad,DC=example,DC=local”,
“AUTH_LDAP_USER_ATTR_MAP”: {
“first_name”: “givenName”,
“last_name”: “sn”,
“email”: “userPrincipalName”
},
“AUTH_LDAP_GROUP_SEARCH”: [
“CN=ansible1,OU=TSG,DC=ad,DC=example,DC=local”,
“SCOPE_SUBTREE”,
“(objectClass=groupOfNames)”
],
“AUTH_LDAP_GROUP_TYPE”: “GroupOfNamesType”,
“AUTH_LDAP_GROUP_TYPE_PARAMS”: {},
“AUTH_LDAP_REQUIRE_GROUP”: null,
“AUTH_LDAP_DENY_GROUP”: null,
“AUTH_LDAP_USER_FLAGS_BY_GROUP”: {
“is_superuser”: [
“CN=ansible,OU=TSG,DC=ad,DC=example,DC=local”
]
},
“AUTH_LDAP_ORGANIZATION_MAP”: {
“TSG”: {
“users”: [
“CN=ansible1,CN=Users,DC=ad,DC=example,DC=local”
],
“admins”: [
“CN=ansible1,CN=Users,DC=ad,DC=example,DC=local”
],
“remove_users”: false,
“remove_admins”: false
}
},

`

Uriel · September 17, 2019, 4:53pm

Did the error message change when you made the changes @mike.charchuk suggested? I remember getting this setup was tough but the error messages on the web container were generally good at pointing me in the right direction.

I remember getting some log in errors and it turned out i needed to set the LDAPTLS_REQCERT env variable to get it working right.

Andrew_Meyer1 · September 17, 2019, 5:08pm

No. Unfortunately.

Topic		Views
Having issues authenticating to Active Directory AWX Project awx , fedora	0	September 24, 2019
AD authentification AWX Project awx	3	February 19, 2021
LDAP login not working (AWX 15.0.1) AWX Project awx	4	April 21, 2021
OpenLDAP Configuration issue with AWX AWX Project awx	3	February 22, 2019
LDAP Authentication is failing. AWX Project	2	February 11, 2020

AWX Authenticating to Windows AD error

Related topics