User management

Hello all, I have some questions about user management and external authentication (I have already integrated with Azure AD):

  • Is there any way to disable user auto-creation for external authentication? For example, only allow users to login if they already exists in database.
  • How to create users without password? Related with the previous question, to create the user before its first login using external authentication, but without password, as it’s not needed.

Thanks!

Not sure why would you want users without passwords. >From security perspective this is not recommended. What you can do is, use SSH keys instead.
Apart from that, you can create users, organizations and teams using LDAP. I have done this and tested it. The users in AWX are created when the authorized groups/users from LDAP configuration are logged in for the first time. You can also control the deletion there, i have not tested that though.

  1. Not sure what you mean by disabling user auto-creation. I’ve integrated my AWX with AD and if the user is not in LDAP he cannot log in.
  2. You can just set up a temporary password for them, you can’t create it without one (only for local users, external ones are pulled from whatever you use as a source).

To touch on #2, just create the account locally on AWX and make sure the userid in AWX matches whatever the user ID coming over from AD is (in my case I am using SAML, and I am using the email address as the UID). Just create a random password locally. When they log in via AD, they will be using the AD password.

Thanks all for your tips.

By auto-creation, I mean, for example, using Azure AD, if the user exists in Azure AD, he can login to Tower; the account in Tower is auto created the first time the user logins, because he is a valid Azure AD user. What I want is to allow only already existing users in Tower to access, no matter if they exist in Azure AD.

The question about users without passwords. My idea is not to allow users to access to Tower without passwords. The idea is to create the initial user, without setting a password, to allow him to access using his Azure AD account. Because of the previous question, if the user doesn’t exist in Tower, I don’t want him to access. I know I can create it using a temporary password, but this could be a security issue, because even if the user is linked to its Azure account after an Azure AD login, the password is valid after that. So the user could access using Azure AD AND his username/password (I have already tested this); this is what I don’t want to, because it implies a double password and user enabled/disabled management.

I hope my question to be clearer now. Thanks!

I get what you are saying about the double password, but why not just set it to some crazy long string of random characters?

Also, if they get into AWX via AD and they do not have an account already on said AWX, depending on how you setup your AWX LDAP configs, they have access to nothing and can see nothing. This is how I typically handle it, I tell someone who needs access to AWX to login with AD or SAML, and once they do so, I provision the correct access.

The way our external auth integrations work (for ldap etc) is somewhat beyond our control. passwordless users or pre-creating users for association with auth accounts isn’t currently supported.

I also want to have such feature in awx.
The ldap / AD / SAML server contains all accounts of whole company but I just want to allow selected IT department user to login the AWX.

I would rather like the method GitLab use, ( https://docs.gitlab.com/ee/integration/omniauth.html - setting “gitlab_rails[‘omniauth_block_auto_created_users’] = true”) auto created users will be blocked by default and will have to be unblocked by an administrator before they are able to sign in.

btw, is there any roadmap to support openid?

Rgds,
Gripen

Juan A. S.於 2019年1月24日星期四 UTC+8下午7時08分25秒寫道:

You can allow only specific groups through LDAP. There are specific examples in the Tower documentation for that. This is one of the basic requirements when using external authentication method like LDAP/Azure AD/SAML.

You can also just specify specific OUs within your directory if you wanted to. Just enter something under the LDAP USER SEARCH field:

[

[

“OU=users,OU=Finance Dept,DC=company,DC=local”,

“SCOPE_SUBTREE”,

“(sAMAccountName=%(user)s)”

]

]

This assumes your directory is quasi organized though……

John M. Foley

IT Specialist

OCIO/ITSO

jfol@loc.gov

http://www.loc.gov/staff/emailsig/logos/lloc.jpg