How to integrate awx with RedHat IDM(IPA)

Selvam_Elangovan · April 28, 2020, 11:22am

Hi!

Could some one share the details of how to integrate awx with RedHat IDM(IPA) for authentication. I read through the doc in the ansibler tower web page but it is not working as expected.

Thanks & Regards,
Selvam E.

Wei-Yen_Tan · April 28, 2020, 11:23am

What do you get a an error message?

Selvam_Elangovan · April 29, 2020, 3:40am

I don’t see any error in /var/log/tower/ Seems config itself wrong under settings->authentication->ldap.

Could you please guide me here.

phil.griffiths · April 29, 2020, 7:20pm

You’re going to have to give us something to work with here.
Can you post your tower auth lap settings? Hit the API with : https://your_tower/api/v2/settings/ldap/

Selvam_Elangovan · April 30, 2020, 5:52am

Thanks. Here is the config. Please note ipa is integrated to AD hence we cannot search user accounts in ipa. The request will go to AD via group mapping.

HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
X-API-Node: awx-57c89d64df-5klj7
X-API-Product-Name: AWX
X-API-Product-Version: 11.1.0
X-API-Time: 0.035s

{
“AUTH_LDAP_SERVER_URI”: “ldap://ldap01.ipa.example.com:389”,
“AUTH_LDAP_BIND_DN”: “uid=admin,cn=users,cn=compat,dc=ipa,dc=example,dc=com”,
“AUTH_LDAP_BIND_PASSWORD”: “$encrypted$”,
“AUTH_LDAP_START_TLS”: false,
“AUTH_LDAP_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_USER_SEARCH”: [
“cn=linux-server-admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
],
“AUTH_LDAP_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_USER_ATTR_MAP”: {},
“AUTH_LDAP_GROUP_SEARCH”: ,
“AUTH_LDAP_GROUP_TYPE”: “GroupOfNamesType”,
“AUTH_LDAP_GROUP_TYPE_PARAMS”: {},
“AUTH_LDAP_REQUIRE_GROUP”: “cn=linux-server-admins,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com”,
“AUTH_LDAP_DENY_GROUP”: null,
“AUTH_LDAP_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_ORGANIZATION_MAP”: {},
“AUTH_LDAP_TEAM_MAP”: {},
“AUTH_LDAP_1_SERVER_URI”: “”,
“AUTH_LDAP_1_BIND_DN”: “”,
“AUTH_LDAP_1_BIND_PASSWORD”: “”,
“AUTH_LDAP_1_START_TLS”: false,
“AUTH_LDAP_1_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_1_USER_SEARCH”: ,
“AUTH_LDAP_1_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_1_USER_ATTR_MAP”: {},
“AUTH_LDAP_1_GROUP_SEARCH”: ,
“AUTH_LDAP_1_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_1_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_1_REQUIRE_GROUP”: null,
“AUTH_LDAP_1_DENY_GROUP”: null,
“AUTH_LDAP_1_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_1_ORGANIZATION_MAP”: {},
“AUTH_LDAP_1_TEAM_MAP”: {},
“AUTH_LDAP_2_SERVER_URI”: “”,
“AUTH_LDAP_2_BIND_DN”: “”,
“AUTH_LDAP_2_BIND_PASSWORD”: “”,
“AUTH_LDAP_2_START_TLS”: false,
“AUTH_LDAP_2_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_2_USER_SEARCH”: ,
“AUTH_LDAP_2_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_2_USER_ATTR_MAP”: {},
“AUTH_LDAP_2_GROUP_SEARCH”: ,
“AUTH_LDAP_2_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_2_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_2_REQUIRE_GROUP”: null,
“AUTH_LDAP_2_DENY_GROUP”: null,
“AUTH_LDAP_2_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_2_ORGANIZATION_MAP”: {},
“AUTH_LDAP_2_TEAM_MAP”: {},
“AUTH_LDAP_3_SERVER_URI”: “”,
“AUTH_LDAP_3_BIND_DN”: “”,
“AUTH_LDAP_3_BIND_PASSWORD”: “”,
“AUTH_LDAP_3_START_TLS”: false,
“AUTH_LDAP_3_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_3_USER_SEARCH”: ,
“AUTH_LDAP_3_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_3_USER_ATTR_MAP”: {},
“AUTH_LDAP_3_GROUP_SEARCH”: ,
“AUTH_LDAP_3_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_3_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_3_REQUIRE_GROUP”: null,
“AUTH_LDAP_3_DENY_GROUP”: null,
“AUTH_LDAP_3_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_3_ORGANIZATION_MAP”: {},
“AUTH_LDAP_3_TEAM_MAP”: {},
“AUTH_LDAP_4_SERVER_URI”: “”,
“AUTH_LDAP_4_BIND_DN”: “”,
“AUTH_LDAP_4_BIND_PASSWORD”: “”,
“AUTH_LDAP_4_START_TLS”: false,
“AUTH_LDAP_4_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_4_USER_SEARCH”: ,
“AUTH_LDAP_4_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_4_USER_ATTR_MAP”: {},
“AUTH_LDAP_4_GROUP_SEARCH”: ,
“AUTH_LDAP_4_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_4_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_4_REQUIRE_GROUP”: null,
“AUTH_LDAP_4_DENY_GROUP”: null,
“AUTH_LDAP_4_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_4_ORGANIZATION_MAP”: {},
“AUTH_LDAP_4_TEAM_MAP”: {},
“AUTH_LDAP_5_SERVER_URI”: “”,
“AUTH_LDAP_5_BIND_DN”: “”,
“AUTH_LDAP_5_BIND_PASSWORD”: “”,
“AUTH_LDAP_5_START_TLS”: false,
“AUTH_LDAP_5_CONNECTION_OPTIONS”: {
“OPT_REFERRALS”: 0,
“OPT_NETWORK_TIMEOUT”: 30
},
“AUTH_LDAP_5_USER_SEARCH”: ,
“AUTH_LDAP_5_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_5_USER_ATTR_MAP”: {},
“AUTH_LDAP_5_GROUP_SEARCH”: ,
“AUTH_LDAP_5_GROUP_TYPE”: “MemberDNGroupType”,
“AUTH_LDAP_5_GROUP_TYPE_PARAMS”: {
“member_attr”: “member”,
“name_attr”: “cn”
},
“AUTH_LDAP_5_REQUIRE_GROUP”: null,
“AUTH_LDAP_5_DENY_GROUP”: null,
“AUTH_LDAP_5_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_5_ORGANIZATION_MAP”: {},
“AUTH_LDAP_5_TEAM_MAP”: {}
}

phil.griffiths · April 30, 2020, 12:58pm

Ok, I don’t have your exact setup but do have a working integrated IPA setup (with Tower). From what I can see you’re not mapping anything into the AWX config though.

Here’s a snippet from my working config:

{
    "AUTH_LDAP_SERVER_URI": "ldap://idm8.demolab.local:389",
    "AUTH_LDAP_BIND_DN": "uid=svc-tower,CN=users,CN=accounts,DC=demolab,DC=local",
    "AUTH_LDAP_BIND_PASSWORD": "$encrypted$",
    "AUTH_LDAP_START_TLS": false,
    "AUTH_LDAP_CONNECTION_OPTIONS": {
        "OPT_REFERRALS": 0,
        "OPT_NETWORK_TIMEOUT": 30
    },
    "AUTH_LDAP_USER_SEARCH": [
        "cn=users,cn=accounts,dc=demolab,dc=local",
        "SCOPE_SUBTREE",
        "(uid=%(user)s)"
    ],
    "AUTH_LDAP_USER_DN_TEMPLATE": null,
    "AUTH_LDAP_USER_ATTR_MAP": {
        "first_name": "givenName",
        "last_name": "sn",
        "email": "mail"
    },
    "AUTH_LDAP_GROUP_SEARCH": [
        "cn=groups,cn=accounts,dc=demolab,dc=local",
        "SCOPE_SUBTREE",
        "(objectClass=ipausergroup)"
    ],
    "AUTH_LDAP_GROUP_TYPE": "GroupOfNamesType",
    "AUTH_LDAP_GROUP_TYPE_PARAMS": {
        "name_attr": "cn"
    },
    "AUTH_LDAP_REQUIRE_GROUP": "cn=tower-users,cn=groups,cn=accounts,dc=demolab,dc=local",
    "AUTH_LDAP_DENY_GROUP": null,
    "AUTH_LDAP_USER_FLAGS_BY_GROUP": {
        "is_superuser": [
            "cn=tower-admins,cn=groups,cn=accounts,dc=demolab,dc=local"
        ]
    },
    "AUTH_LDAP_ORGANIZATION_MAP": {
        "demolab": {
            "remove_admins": false,
            "remove_users": false,
            "users": true,
            "admins": [
                "cn=tower-admins,cn=groups,cn=accounts,dc=demolab,dc=local"
            ]
        }
    },
    "AUTH_LDAP_TEAM_MAP": {
        "Specialist": {
            "organization": "demolab",
            "remove": false,
            "users": "cn=specialist,cn=groups,cn=accounts,dc=demolab,dc=local"
        },
        "FSI": {
            "organization": "demolab",
            "remove": false,
            "users": "cn=fsi,cn=groups,cn=accounts,dc=demolab,dc=local"
        },
        "PubSec": {
            "organization": "demolab",
            "remove": false,
            "users": "cn=pubsec,cn=groups,cn=accounts,dc=demolab,dc=local"
        },
        "RET": {
            "organization": "demolab",
            "remove": false,
            "users": "cn=ret,cn=groups,cn=accounts,dc=demolab,dc=local"
        },
        "Alliances": {
            "organization": "demolab",
            "remove": false,
            "users": "cn=alliances,cn=groups,cn=accounts,dc=demolab,dc=local"
        },
        "MMS": {
            "organization": "demolab",
            "remove": false,
            "users": "cn=mms,cn=groups,cn=accounts,dc=demolab,dc=local"
        }
    },

You can see I'm mapping entries into org/team/users.

Topic		Replies	Views
Need Help to configure LDAP Authentication for AWX AWX Project awx	3	1	January 18, 2021
How to integrate IPA(Redhat Directory Service) IDM with AWX for user authentication AWX Project awx	0	0	April 29, 2020
Having difficulty getting LDAP authentication to work Ansible Project awx	2	0	May 29, 2018
Having issues authenticating to Active Directory AWX Project awx , fedora	0	0	September 24, 2019
Ansible AWX/Tower configure with MS AD auth AWX Project awx , windows	2	0	September 16, 2019

How to integrate awx with RedHat IDM(IPA)

Related topics