Hello,
Running AWX 21.9 with operator 1.1.0 on K3s.
Active Directory LDAP authentication works fine, Active Directory LDAPS does not.
I have set the ldap_cacert_secret ldap-ca.crt and bundle_cacert_secret bundle-ca.crt.
The ldap-ca.crt was successfully implemented in the awx-web container, I used openssl to verify.
Within the awx-web container, I test with openssl using the AD CA cert and I get this error.
Verification error: EE certificate key too weak
Similarly, from the box hosting the k3s instance I get the same error.
In addition, from the box hosting the k3s instance, I am unable to connect using the AD CA cert using ldapsearch. However, if I set TLS_REQCERT to Never, the connection succeeds with ldapsearch. From other older boxes, I do not get this EE certificate key too weak, openssl and ldapsearch work fine with the AD CA cert.
I believe the problem is with the AD CA cert having a weak key causing an inability to verify the SSL connection. The awx-web container ldap.py has this setting by default. ldap.OPT_X_TLS_REQUIRE_CERT:True.
So what I want to do is set either of these. ldap.OPT_X_TLS_REQUIRE_CERT:ldap.OPT_X_TLS_NEVER
OR
ldap.OPT_X_TLS_REQUIRE_CERT:Never.
I have tried both by updating ldap.py.j2 under the awx-operator installer role however it has no effect, I am certain it is because this is the wrong location.
Can you all help me to set TLS_REQ_CERT to Never within awx-web?
Thanks