Questions about the use/debugging of ldap

gothsome · February 13, 2024, 10:59am

Hello again!
Im testting to set up the userlogin for the AWX Webgui.
I created a user wich can read the folder(ou) with ldapsearch, but i cant login in the webgui.
I use a own awx user group to limit the acces for the administration and added my regular user in this group for testing, but i cant login in the web gui.
Tried: domain.local\user | domain\user | user@domain.local | user@domain
Do i have to configure someting else too?
And how can i see the logs?
I set the logging in the sytem logging to debug.
I thought probably at Jobs but nothing this related to see.
Do i have to set up a logging server?

Thank you again for your input!!

j-oss2023 · February 13, 2024, 11:15am

Try these settings, Works for us… Using Microsoft Active Directory as LDAP server…

LDAP Server URI

ldap://100.100.100.100

LDAP Bind DN (user to authenticate with LDAP)

CN=Service Account,OU=Service,OU=Accounts,DC=example,DC=domain,DC=com

LDAP Group Type

MemberDNGroupType

LDAP User Search (where the users live)

[
  "OU=Users,OU=Accounts,DC=example,DC=domain,DC=com",
  "SCOPE_SUBTREE",
  "(sAMAccountName=%(user)s)"
]

LDAP Group Search (where the groups live)

[
  "OU=Accounts,DC=example,DC=domain,DC=com",
  "SCOPE_SUBTREE",
  "(objectClass=group)"
]

LDAP User Attribute Map (use this, maps correctly the LDAP to AWX attrs)

{
  "email": "mail",
  "first_name": "givenName",
  "last_name": "sn"
}

LDAP Group Type Parameters (dunno, it works)

{
  "member_attr": "member",
  "name_attr": "cn"
}

LDAP User Flags By Group

{
  "is_superuser": [
    "CN=AWX Admins,OU=Accounts,DC=example,DC=domain,DC=com",
  ]
}

LDAP Organization Map (anyone in this group will be part of “Engineering” team in AWX )

{
  "Engineering": {
    "admins": "CN=AWX Admins,OU=Accounts,DC=example,DC=domain,DC=com",
    "remove_admins": false,
    "remove_users": false,
    "users": true
  }
}

LDAP Team Map

{}

j-oss2023 · February 13, 2024, 11:25am

Oh and then finally,

Login with the username…

not email, not @example.domain.local

just their User logon name, ie “bob”

Screenshot 2024-02-13 at 10.24.45 pm

gothsome · February 13, 2024, 11:59am

only the user was the first i tried - the only diffrece was i had this user DN Template too much - i deleted it.
And the added group filter.
Is the login then possible without further configs?

j-oss2023 · February 13, 2024, 12:04pm

No further config is needed, at least in our environment…

Making sure the LDAP server is accessible from the AWX machine

gothsome · February 13, 2024, 12:07pm

Yeah Thank you!

The chatbot lured me again to the error - ill get the feeling i should stop stink it - read the manual and ask rather here.
Would be quicker i think.

system · March 14, 2024, 12:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.