New LDAP error in AWX 3.0.1

Hi All,

After building the images for AWX 3.0.1 I am seeing a new LDAP error.

2019-02-13 14:54:15,180 WARNING django_auth_ldap Caught LDAPError while authenticating : SERVER_DOWN({‘desc’: “Can’t contact LDAP server”, ‘info’: ‘error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)’},)

I have been using the same LDAP config and root_ca.pem file since AWX 1.0.6. But with the 3.0.1 release its not working anymore.

Has anyone seen or run into this before? My googling the error message and trying the suggested fixes have not worked. I have also checked the AWX code base for any LDAP settings but have not seen any that caught my eye.

This is probably just a user error on my end due to my lack of LDAP workings but any help would be appreciated.

Below is my settings in the api/v2/settings/ldap section.

{

“AUTH_LDAP_SERVER_URI”: “ldaps://<ldap_server>:636”,
“AUTH_LDAP_BIND_DN”: “CN=user,OU=ServiceAccounts,OU=CorpUsers,DC=winroot,DC=,DC=com”,
“AUTH_LDAP_BIND_PASSWORD”: “$encrypted$”,
“AUTH_LDAP_START_TLS”: false,
“AUTH_LDAP_CONNECTION_OPTIONS”: {
“OPT_NETWORK_TIMEOUT”: 30,
“OPT_REFERRALS”: 0,
“OPT_X_TLS_NEWCTX”: 0,
“OPT_X_TLS_CACERTFILE”: “/var/lib/awx/Root_CA.pem”,
},
“AUTH_LDAP_USER_SEARCH”: [
“DC=WINROOT,DC=,DC=com”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
],
“AUTH_LDAP_USER_DN_TEMPLATE”: null,
“AUTH_LDAP_USER_ATTR_MAP”: {
“first_name”: “givenName”,
“last_name”: “sn”,
“email”: “mail”
},
“AUTH_LDAP_GROUP_SEARCH”: [
“DC=WINROOT,DC=,DC=com”,
“SCOPE_SUBTREE”,
“(objectClass=group)”
],
“AUTH_LDAP_GROUP_TYPE”: “ActiveDirectoryGroupType”,
“AUTH_LDAP_GROUP_TYPE_PARAMS”: {},
“AUTH_LDAP_REQUIRE_GROUP”: null,
“AUTH_LDAP_DENY_GROUP”: null,
“AUTH_LDAP_USER_FLAGS_BY_GROUP”: {},
“AUTH_LDAP_ORGANIZATION_MAP”: {
“ORG 1”: {
“admins”: “cn=<admin_group>,ou=autogroups,OU=CorpGroups,dc=winroot,dc=,dc=com”,
“remove_admins”: true
},
},
“AUTH_LDAP_TEAM_MAP”: {
“TEAM 1”: {
“organization”: “ORG 1”,
“users”: “cn=,ou=autogroups,ou=corpgroups,dc=winroot,dc=,dc=com”,
“remove”: true
},
}
}

Can you login to your awx_web container and check the /var/lib/awx/ path and see if you actually have your certificates there?

I just double checked and I have 2 of the same certs with different name.

/var/lib/awx/Root_CA.pem and /var/lib/awx/ca.crt

The ca.crt one is what I have been using since 1.0.6 and it worked until now.

I created the Root_CA.pem one when I was googling and found the following commands to add the .pem file to the systems trust store.

Below are the command I added to my Dockerfile.j2 template in the image build role.

ADD Root_CA.pem /etc/pki/ca-trust/source/anchors/Root_CA.pem
RUN update-ca-trust enable && update-ca-trust extract

Here is what I had originally in the dockerfile before I added the above to try and fix the ssl issue.

ADD ca.crt /var/lib/awx/ca.crt

What installation method are you using? If it’s docker, you have a ca_cert_trust variable you can set in there to the location of the certs on your host machine and it will be mounted in your containers.

I am deploying to a Kubernetes cluster.

So I build the images, push them to a private docker repo and deploy them to kubernetes using the kubernetes role in the installer directory.

Does ldapsearch work from the shell inside awx_web container?