Question on Configuring multiple ldap user search using awx.awx.tower_settings

Archives AWX Project
1

Hello Team,

I have ansible playbook that uses module awx.awx.tower_settings to do AUTH_LDAP_USER_SEARCH.I’m trying to configure two ldap_user_search
some thing like this OU=employees,OU=users,OU=,DC=,DC=,DC=com and
OU=employees,OU=users,OU=,DC=,DC=comcast,DC=com but its not accepting the settings is it possible to add multiple user searches.

Thanks,
Rakesh Boinapally

2

In the help bubble for user search it says: “If multiple search queries need to be supported use of “LDAPUnion” is possible. See the documentation for details”.
The docs being referred to are located at https://docs.ansible.com/automation-controller/latest/html/administration/ldap_auth.html
If you search for LDAP USER SEARCH on that page and then scroll down a tad there is a note that says:
For multiple search queries, the proper syntax is:
[
[
“OU=Users,DC=northamerica,DC=acme,DC=com”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
],
[
“OU=Users,DC=apac,DC=corp,DC=com”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
],
[
“OU=Users,DC=emea,DC=corp,DC=com”,
“SCOPE_SUBTREE”,
“(sAMAccountName=%(user)s)”
]
]

Give that syntax a try and let us know if that works for you.

-John

3

I’m looking more around how can i add multiple ldap user search through awx.awx.tower_settings ansible module.
I did try to add it but had issues.

4

Ah, I usually have a hard time representing arrays of arrays in yml format myself so I tend to use json format like:

  • awx**.awx.settings**:
    settings:
    AUTH_LDAP_USER_SEARCH: [
    [ “OU=Users,DC=northamerica,DC=acme,DC=com”, “SCOPE_SUBTREE”, “(sAMAccountName=%(user)s)” ],
    [ “OU=Users,DC=apac,DC=corp,DC=com”, “SCOPE_SUBTREE”, “(sAMAccountName=%(user)s)” ],
    [ “OU=Users,DC=emea,DC=corp,DC=com”, “SCOPE_SUBTREE”, “(sAMAccountName=%(user)s)” ]
    ]

Let us know if that works for you.

-John

5

Tried this its not accepting at the syntax level only

6

What is the error you are getting? And what version of Ansible/AWX are you using?

-John

7

Following is the error that I’m receiving.
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
did not find expected key

The error appears to be in ‘/home/rakeshcomcast/awx-testing/awx-deployer/awx-configure.yml’: line 110, column 10, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

AUTH_LDAP_USER_SEARCH:[
[“OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)”],
^ here

Following is the ansible version ansible [core 2.12.6]

8

Do you have a space between AUTH_LDAP_USER_SEARCH: and the opening 'square bracket?
If not that could be the issue.

If so, I am on ansible 2.9 and I don’t have a problem with the OU line you have above. Could you try sending the entire task (masking out anything private)?
Sometimes the line/column number point to the wrong place if the error is syntax related.

-John

9

Tried that option to below is the exact one still having same error

AUTH_LDAP_USER_SEARCH: [
[ “OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)” ]
[ “OU=employees,OU=users,OU=india,DC=apac,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)” ]
]

10

There is a , missing at the end of the first OU line. It should be:

AUTH_LDAP_USER_SEARCH: [
[ “OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)” ],

[ “OU=employees,OU=users,OU=india,DC=apac,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)” ]
]

Let me know if that resolves the issue.

11

Sorry some how i deleted added that , back and still having same error
ERROR! We were unable to read either as JSON nor YAML, these are the errors we got from each:
JSON: Expecting value: line 1 column 1 (char 0)

Syntax Error while loading YAML.
did not find expected key

The error appears to be in ‘/home/rakeshcomcast/awx-testing/awx-deployer/awx-configure.yml’: line 110, column 10, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

AUTH_LDAP_USER_SEARCH: [
[“OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)”],
^ here

AUTH_LDAP_USER_SEARCH: [
[“OU=Users,OU=Corporate,DC=cable,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)”],
[“OU=employees,OU=users,OU=india,DC=apac,DC=comcast,DC=com”,“SCOPE_SUBTREE”,“(sAMAccountName=%(user)s)”]
]

12

I also saw some thing like this in following article https://django-auth-ldap.readthedocs.io/en/latest/authentication.html

import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
    LDAPSearch("ou=users,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"),
    LDAPSearch("ou=otherusers,dc=example,dc=com", ldap.SCOPE_SUBTREE, "(uid=%(user)s)"),
)

Is it possible to use above syntax in ansible awx.awx.settings
13

That last code snippet is python and can’t be used directly by the module in an ansible playbook, the module would have to be altered in order to use something like that.

However, the module seems to be able to already handle this Here is my sample playbook that works for me: