LDAP Organization Mapping

Alex_Trifonov · June 30, 2020, 5:14pm

Hello,

I’m configuring LDAP authorization at the AWX (9.2.0) .
Authorization passes, but mapping users to organizations based on LDAP groups does not work.

When authorizing an LDAP user sn.ivanov, the following is written in the logs:

`
2020-06-30 15:22:13,581 DEBUG django_auth_ldap search_s(‘OU=MIQ,DC=BANK,DC=RUS,DC=CONTOSO’, 2, ‘(sAMAccountName=%(user)s)’) returned 1 objects: cn=ivanov sergey,ou=miq,dc=bank,dc=rus,dc=contoso
2020-06-30 15:22:13,585 DEBUG django_auth_ldap Populating Django user sn.ivanov
2020-06-30 15:22:13,587 ERROR django_auth_ldap search_s(‘OU=MIQ,DC=STS,DC=RUS,DC=CONTOSO’, 2, ‘(&(objectClass=group)(member=cn=ivanov sergey,ou=miq,dc=bank,dc=rus,dc=contoso))’) raised REFERRAL({‘desc’: ‘Referral’, ‘info’: ‘Referral:\nldap://sts.rus.contoso/OU=MIQ,DC=STS,DC=RUS,DC=CONTOSO’},)
2020-06-30 15:22:13,587 DEBUG django_auth_ldap search_s(‘OU=MIQ,DC=STS,DC=RUS,DC=CONTOSO’, 2, ‘(&(objectClass=group)(member=cn=ivanov sergey,ou=miq,dc=bank,dc=rus,dc=contoso))’) returned 0 objects:
2020-06-30 15:22:13,595 DEBUG django_auth_ldap cn=ivanov sergey,ou=miq,dc=bank,dc=rus,dc=contoso is not a member of cn=miq_admins,ou=miq,dc=sts,dc=rus,dc=contoso
2020-06-30 15:22:13,595 DEBUG django_auth_ldap cn=ivanov sergey,ou=miq,dc=bank,dc=rus,dc=contoso is not a member of ou=miq,dc=bank,dc=rus,dc=contoso
2020-06-30 15:22:13,634 INFO awx.api.generics User sn.ivanov logged in from 10.31.252.123

`

The user sn.ivanov@BANK.RUS.CONTOSO is precisely a member of the group CN=MIQ_admins,OU=MIQ,DC=STS,DC=RUS,DC=CONTOSO

Here is /etc/krb5.conf:

`
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = STS.RUS.CONTOSO
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
RUS.CONTOSO = {
kdc = RB-ADC-F1D1-1.RUS.CONTOSO
admin_server = RB-ADC-F1D1-1.RUS.CONTOSO
}
STS.RUS.CONTOSO = {
kdc = RB-ADC-F1D3-1.STS.RUS.CONTOSO
admin_server = RB-ADC-F1D3-1.STS.RUS.CONTOSO
}
BANK.RUS.CONTOSO = {
kdc = RB-ADC-F1D2-1.BANK.RUS.CONTOSO
admin_server = RB-ADC-F1D2-1.BANK.RUS.CONTOSO
}

[domain_realm]
rus.contoso = RUS.CONTOSO
.rus.contoso = RUS.CONTOSO
sts.rus.contoso = STS.RUS.CONTOSO
.sts.rus.contoso = STS.RUS.CONTOSO
bank.rus.contoso = BANK.RUS.CONTOSO
.bank.rus.contoso = BANK.RUS.CONTOSO
`

The following is specified in the “LDAP Organization Map” authorization settings:

{ "Default": { "remove_admins": false, "admins": [ "CN=MIQ_admins,OU=MIQ,DC=STS,DC=RUS,DC=CONTOSO", "OU=MIQ,DC=BANK,DC=RUS,DC=CONTOSO" ], "remove_users": false, "users": false } }

May be you can help me with it?

Topic		Replies	Views
LDAP authentication issues AWX Project	2	0	November 10, 2018
LDAP issues for 2.1.0 AWX Project	7	0	November 26, 2018
LDAP login not working (AWX 15.0.1) AWX Project awx	4	0	April 21, 2021
AWX 19.2.0 cant map LDAP groups as org admin AWX Project awx	1	1	July 12, 2021
Assign specific admin in LDAP organization mapping. AWX Project awx	0	1	November 18, 2018

LDAP Organization Mapping

Related topics