LDAP Settings for Google Secure LDAP

Get Help
1

Configuring LDAP Settings to connect via Google Secure LDAP (Google Cloud Identity)

I have difficulties connecting to the Google Secure LDAP using AWX LDAP Settings.

I created an LDAP Client in Google Workspace (Admin).
I have a TLS certificate for authentication.
I also generated what they call access credentials which is specifically done for systems needing username and password authentication.

I am using AWX 21.12.0 and configured the following:
The real domain is replaced by example.

URL: ldaps://ldap.google.com:636
Bind DN: cn=TheGeneratedUsername
Bind Password: The GeneratedPassword
User DN Template: uid=%(user)s,ou=Users,dc=example,dc=com
Group Type: GroupOfNamesType
Require Group: cn=tech-team,ou=Groups,dc=example,dc=com

User search

[
  "ou=Users,dc=example,dc=com",
  "SCOPE_SUBTREE",
  "(uid=%(user)s)"
]

Group search

[
  "ou=Groups,dc=example,dc=com",
  "SCOPE_SUBTREE",
  "(objectClass=group)"
]

User Attribute Map

{
  "email": "mail",
  "first_name": "givenName",
  "last_name": "sn"
}

User flags

{
  "is_superuser": [
    "cn=tech,ou=Groups,dc=example,dc=com"
  ]
}

Here are the logs I get from the
2023-12-13 10:26:37,012 DEBUG [011083b6c197462aa0f013b660bc66f5] django_auth_ldap Binding as uid=firstname.lastname,ou=Users,dc=example,dc=com
2023-12-13 10:26:37,128 WARNING [011083b6c197462aa0f013b660bc66f5] django_auth_ldap Caught LDAPError while authenticating firstname.lastname: INSUFFICIENT_ACCESS({‘msgtype’: 97, ‘msgid’: 1, ‘result’: 50, ‘desc’: ‘Insufficient access’, ‘ctrls’: , ‘info’: ‘Not authorized to authenticate password’})

The verify user credentials option in Google Workspace is enabled on the whole domain.

I can use ldapsearch in the CLI and it works. But it works using the certificate.

LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b "dc=example,dc=com" \
 -D "cn=TheGeneratedUsername" -W "(uid=firstname.lastname)"

The LDAP Client being an entry in the System Keychain on macOS with the imported certificate and key (in p12 format).

I am wondering how I could provide the certificate which seems to be the real authentication mean as I can’t use ldapsearch without it. The username / password specified even though they need to be correct if specified don’t work on their own.

LDAPTLS_CERT and LDAPTLS_KEY can be used to provide the certificate and the key.
But I am unsure how it can be specified to be used by the AWX LDAP client and where I should put these files.

Any help or hint is appreciated.