How to update LDAP config to allow users in group of groups

Archives AWX Project
1

I have been testing authentication using LDAP, it works fine for me when i provide a group where users are members of that group. I have been reading the documents but unfortunately unable to make the configuration scenario work when i have:

LDAP Require group: Top group where all the team groups will be present.

Top Group (Group-A)
|
|
----- AWX_ADMINS - All members are admin of AWX.
|
|
----- TeamA_Group - All members have limited access which is provided to the team.
|
|
----- TeamB_Group - All members have limited access which is provided to the team.

My Current configuration works for the top group with all the users are part of that group:

LDAP Group Type: MemberDNGroupType
LDAP Require Group: CN=AWX_ADMINS,OU=Groups,DC=dr,DC=svc,DC=company,DC=com
LDAP User Search:

[
“OU=People,DC=dr,DC=svc,DC=company,DC=com”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
]

LDAP Group Search:

[
“OU=Groups,DC=dr,DC=svc,DC=company,DC=com”,
“SCOPE_SUBTREE”,
“(objectClass=groupOfNames)”
]

LDAP Group Type Parameters:

{
“name_attr”: “cn”,
“member_attr”: “member”
}

LDAP User Flags By Group:

{
“is_superuser”: [
“CN=AWX_ADMINS,OU=Groups,DC=dr,DC=svc,DC=company,DC=com”
]
}

How can i modify the above config in such a way that i am able to allow the users who are not directly members of the group but are members of the nested group of the LDAP Require Group. Any pointers would be really helpful.

2

Hello All,

Can someone please share few inputs for this, it would be really helpful for us.

3

Hi,

Have you tried storing one LDAP configuration for each group of users?
Like, using LDAP server Default, then LDAP 1 and LDAP 2 for each group of users.

It may not be the best solution, but it should fit your needs.

Regards,
Sergio

4

Hi Sergio,

Thanks for your response. I had the assumption that we can use just one LDAP configuration profile at one time. I will try this but, i didn’t get how multiple profiles would be helpful in allowing multiple nested groups. Could you please share some more insights, this would be really helpful for me.

Thanks in advance.

5

Hi,

have you tried to use LDAP Group Type: NestedMemberDNGroupType ?

Regards
Stefan

6

We were able to resolve this issue. For the reference of others, the related configurations can be found in the below github issue.
https://github.com/ansible/awx/issues/496

Thanks to everyone who shared their suggestions.