AWX k8s LDAP Active directory integration issues

Hello all,

I am trying to integrate my awx 21.11.0 to active directory under settings > LDAP. But it is not working I have installed awx using awx-operator in k8s 2 node cluster.

pods: kubectl get pods -n awx
NAME READY STATUS RESTARTS AGE
awx-69c4767956-bnjw7 4/4 Running 0 212d
awx-69c4767956-d89s9 4/4 Running 0 212d
awx-operator-controller-manager-77c67cb7c6-qjq8s 2/2 Running 3 (60d ago) 102d
awx-postgres-13-0 1/1 Running 0 212d

I am using service_type: nodeport
http://10.26.48.153:30082 >>> is my awx instande

I have enable debugging settings>loggin settings>Logging Aggregator Level Threshold > DEBUG

logs:
023-09-18 20:45:17,502 DEBUG [384d09659a15497da935e586b03c065b] awx.analytics.performance request: <WSGIRequest: GET ‘/api/login/’>, response_time: 0.053s
10.244.0.0 - - [18/Sep/2023:20:45:17 +0000] “GET /api/login/ HTTP/1.1” 200 5714 “http://10.26.48.153:30082/” "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
2023-09-18 20:45:17,686 WARNING [3d3485b5cd5b4498a47ed19edc410297] awx.api.generics Login failed for user user1 from 10.244.0.0
2023-09-18 20:45:17,690 DEBUG [3d3485b5cd5b4498a47ed19edc410297] awx.analytics.performance request: <WSGIRequest: POST ‘/api/login/’>, response_time: 0.158s
2023-09-18 20:45:17,690 WARNING [3d3485b5cd5b4498a47ed19edc410297] django.request Unauthorized: /api/login/
2023-09-18 20:45:17,690 WARNING [3d3485b5cd5b4498a47ed19edc410297] django.request Unauthorized: /api/login/

As per the logs i understood Login failed for user user1 from 10.244.0.0.
10.244.0.0 is not routable in my network, is this network internal to k8s ? what is this network.

I have tried same setting in k3s(minikube) ldap worked, so password is not a problem. I believe something specific to k8s is the issue. Please let me know if i have missed anything.

how can AD integration work? I am new to k8s.

cat awx.yaml

Hello all,
Can anyone help me on this?

try to pass your root certs through as a kube secret in the awx namespace. It took me awhile to get LDAP working on K8s. Below is from my values file.

ldap_cacert_secret: awx-ssl-ca-ldap
bundle_cacert_secret: awx-ssl-ca-custom
ldap_password_secret: awx-ldap-password

kubectl create secret generic awx-ssl-ca-custom --from-file=bundle-ca.crt=/etc/ssl/certs/ca-bundle.crt --namespace=“awx”
kubectl create secret generic awx-ssl-ca-ldap --from-file=ldap-ca.crt=/etc/ssl/certs/ca-bundle.crt --namespace=“awx”

Hi Alex,

Does these settings(ldap_password_secret,ldap_cacert_secret,bundle_cacert_secret) is needed in K8s even thought TLS is OFF/DISABLED under AWX UI > Settings>ldap1

In minikube (k3s) i didn’t do any certs, i went to AWX UI > Settings>ldap1 just enter ldap uri,bind password and groups also disabled TLS, that’s it i am able to authenticate using my active directory credentials. So my guess is with tls off same configs should work in K8s too right ? or certs are mandatory for awx k8s version active directory integration?

If you have LDAPS or LDAP(389) with startTLS, you need it. I dont have a deep understanding of the differences of minikube, vs k3s, vs k8s. But in my case with K8s, it wasnt passing the certs from the OS in
/etc/ssl/certs, so i had to add them with a kubesecret.

Thank you Alex. AD integration is working now.

Regards
Vish