LDAP authentication not working.

mjksohonet · March 8, 2023, 3:18pm

AWX 21.12.0 in a k3s cluster.

I’m trying to configure AWX to authenticate users using LDAP.
I’ve added the LDAP details to AWX and AWX is not complaining about any of them.
However, when I try to login using a username that I know can be authenticated in LDAP, I can see no attempt to contact the LDAP server.
How can I debug this?

Thanks.

trippinnik · March 8, 2023, 4:44pm

usually the error is output in the awx_web container logs. what does it say there?

russell.cecala · March 9, 2023, 3:39am

I had trouble getting OpenLDAP to work with AWX too (turned out I was wrong about the password) but I hope this helps:

Trouble Shooting LDAP Authentication with Ansible AWX

If you are having trouble getting your AWX deployment to preform authentication with LDAP you might want to make sure that the container that runs the AWX web server can talk to the LDAP server over a encrypted connection. To do this follow these steps:

List your AWX pods like so:

kubectl -n awx get pods

You are looking for the pod that has the 4 containers. In my case this is pod, awx-demo-8ded6678-gk322.

“exec” onto the awx-demo-web container like so:

kubectl -n awx exec -it awx-demo-8ded6678-gk322 -c awx-demo-web – /bin/bash

Check the secure connection to the LDAP server
From the bash prompt on the container execute:

echo | openssl s_client -connect ldap.example.com:636

Check the output. Are you getting output? You can check the dates on the certificate like so:

mjksohonet · March 9, 2023, 9:18pm

The container can connect to the ldap server (a Debian 10 VM running ns-slapd)

bash-5.1$ echo | openssl s_client -connect :636 2>/dev/null | openssl x509 -noout -dates
notBefore=Jan 9 00:00:00 2023 GMT
notAfter=Jan 14 23:59:59 2024 GMT
bash-5.1$

I found this is the logs

Traceback (most recent call last):
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/sso/backends.py”, line 119, in authenticate
raise ImproperlyConfigured(“{} must be an {} instance.”.format(setting_name, type_))
django.core.exceptions.ImproperlyConfigured: GROUP_SEARCH must be an LDAPSearch instance.
ERROR:awx.sso.backends:Encountered an error authenticating to LDAP

I don’t have a group search defined but AWX doesn’t complain when I save a configuration with an empty group search list.
Is that a bug?

Imagine the following:
Company: example.com
AWX server: awx.example.com
LDAP server: ldap.example.com

What would be the LDAP configuration to authenticate users in
dn: cn= AWX Users,ou=Groups,dc=example,dc=com

Thanks.

russell.cecala · March 9, 2023, 9:49pm

I used:

"LDAP Group Type" to PosixGroupType

Here is the second part of my write up …

Trouble shooting AWX LDAP Authentication Issue

I have a K3s cluster and I set up my AWX server by installing awx-operator. I also have an OpenLDAP server. My OpenLDAP server has a signed valid TLS Cert and works fine.

Next I log on to my AWX server as the ‘admin’ user.

You get the password for this account by executing:

kubectl get secret awx-demo-admin-password -o jsonpath={.data.password} | base64 --decode

I navigate to "Settings > LDAP Default" and filled out the form. Set:

"LDAP Server URI" to my ldap server ldaps://ldap.example.com.
“LDAP Bind DN” to cn=Manager,dc=example,dc=com
"LDAP Bind Password" to the correct password you would use with ldapsearch.
"LDAP Group Type" to PosixGroupType
“LDAP User Search” to [“ou=users,dc=example,dc=com”,“SCOPE_SUBTREE”,“(uid=%(user)s)”]
“LDAP Group Search” to [“OU=Groups,dc=example,dc=com”,“SCOPE_SUBTREE”,“(objectClass=posixGroup)”]
Everything else leave as default. Note: Of course I used my actual domain name and NOT example.com.

Then I tried to log into the AWX UI with my LDAP user account but couldn’t log in. I spent days reading documentation and try things. I even accidentally locked my admin account out by clicking on “Disable the built-in authentication system” Off link. DO NOT DO THAT! I had to run an update to a table in the postgresql database to fix that.

Here is how I finally came to realize that I was entering the wrong password.
I would “tail” the log of the “awx-demo-web” container with this command:

kubectl -n awx get pods
…
kubectl -n logs -f awx-demo-9aidd-gk6dy awx-demo-web
…
and you will see messages like:

WARNING … awx.api.generics Login failed for user red.cricket from 10.0.0.5
WARNING … django.request Unauthorized: /api/login/
WARNING … django.request Unauthorized: /api/login/

But nothing that will tell you why the login failed. To see why you need to change the logging level on the AWX server to DEBUG. And to do that you navigate to "Settings > Logging" and click the Edit button, then change the “**Logging Aggregator Level Threshold”**to "DEBUG".

Then when you attempt to login with the wrong password you will see this output in the logs:

DEBUG … django_auth_ldap search_s(…) returned 1 objects: uid=red.cricket…
DEBUG … django_auth_ldap Authentication failed for red.cricket: user DN/password rejected by LDAP server.

Once you have figured out what is wrong and how to correct it be sure change the logging level back to INFO.

mjksohonet · March 10, 2023, 4:07pm

My bad.
I had enabled TLS when I shouldn’t have.

Thanks for the help.

Topic		Replies	Views
LDAP issues with AWX AWX Project awx	6	16	October 2, 2020
OpenLDAP Configuration issue with AWX AWX Project awx	3	0	February 22, 2019
LDAP Authentication in AWX AWX Project awx	6	0	June 20, 2020
LDAP User is not being added on AWX 21.4.0 AWX Project awx , kubernetes	2	1	October 12, 2022
Need Help to configure LDAP Authentication for AWX AWX Project awx	3	2	January 18, 2021

LDAP authentication not working.

Related topics