Configuring LDAP Settings to connect via Google Secure LDAP (Google Cloud Identity)
I have difficulties connecting to the Google Secure LDAP using AWX LDAP Settings.
I created an LDAP Client in Google Workspace (Admin).
I have a TLS certificate for authentication.
I also generated what they call access credentials which is specifically done for systems needing username and password authentication.
I am using AWX 21.12.0 and configured the following:
The real domain is replaced by example
.
URL: ldaps://ldap.google.com:636
Bind DN: cn=TheGeneratedUsername
Bind Password: The GeneratedPassword
User DN Template: uid=%(user)s,ou=Users,dc=example,dc=com
Group Type: GroupOfNamesType
Require Group: cn=tech-team,ou=Groups,dc=example,dc=com
User search
[
"ou=Users,dc=example,dc=com",
"SCOPE_SUBTREE",
"(uid=%(user)s)"
]
Group search
[
"ou=Groups,dc=example,dc=com",
"SCOPE_SUBTREE",
"(objectClass=group)"
]
User Attribute Map
{
"email": "mail",
"first_name": "givenName",
"last_name": "sn"
}
User flags
{
"is_superuser": [
"cn=tech,ou=Groups,dc=example,dc=com"
]
}
Here are the logs I get from the
2023-12-13 10:26:37,012 DEBUG [011083b6c197462aa0f013b660bc66f5] django_auth_ldap Binding as uid=firstname.lastname,ou=Users,dc=example,dc=com
2023-12-13 10:26:37,128 WARNING [011083b6c197462aa0f013b660bc66f5] django_auth_ldap Caught LDAPError while authenticating firstname.lastname: INSUFFICIENT_ACCESS({‘msgtype’: 97, ‘msgid’: 1, ‘result’: 50, ‘desc’: ‘Insufficient access’, ‘ctrls’: , ‘info’: ‘Not authorized to authenticate password’})
The verify user credentials option in Google Workspace is enabled on the whole domain.
I can use ldapsearch in the CLI and it works. But it works using the certificate.
LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b "dc=example,dc=com" \
-D "cn=TheGeneratedUsername" -W "(uid=firstname.lastname)"
The LDAP Client
being an entry in the System Keychain on macOS with the imported certificate and key (in p12 format).
I am wondering how I could provide the certificate which seems to be the real authentication mean as I can’t use ldapsearch without it. The username / password specified even though they need to be correct if specified don’t work on their own.
LDAPTLS_CERT and LDAPTLS_KEY can be used to provide the certificate and the key.
But I am unsure how it can be specified to be used by the AWX LDAP client and where I should put these files.
Any help or hint is appreciated.