Configuring AWX to connect to Active Directory

[tech-dad]

ISSUE TYPE

• Documentation

COMPONENT NAME

• UI

SUMMARY

I am attempting to setup ldap integrations to our AD. With the setup there is no feature to allow me to get feedback in regards to errors when querying AD. I am only allowed to save. So far, I have been unsuccessful in configuring this auth mechanism. Do you have additional documentation with steps on setting this up?

ENVIRONMENT

• AWX version: AWX 1.0.1.93
• AWX install method: docker on linux
• Ansible version: 2.4.0.0
• Operating System: CentOS Linux release 7.2.1511
• Web Browser: Chrome

STEPS TO REPRODUCE

Log into AWX, Settings, Authentication, LDAP

EXPECTED RESULTS

Connection to Active Directory

ACTUAL RESULTS

ADDITIONAL INFORMATION

[tech-dad]

Are there plans in future releases to have a test button either on the page or test upon save?

[cchurch]

@zs-jaggaer The test on save feature has been discussed, but I don't see a specific issue for it (yet). May be included as part of #306?

To turn on additional logging for LDAP, look at http://docs.ansible.com/ansible-tower/latest/html/administration/ldap_auth.html#enabling-logging-for-ldap -- you can add this setting in any .py settings file; ldap.py may not exist on new installations.

[dandandanp]

I use the following for AD, ignore the OU examples they're a bit janky:

Sub Category:
LDAP

LDAP Server URI:
ldap://<server.fqdn>:389

eg: ldap://dc1.microsoft.com:389

LDAP Bind DN:
CN=<account name>,OU=<ou name>,DC=<domain name>,DC=<top level domain>

eg: CN=awx_service_account,OU=service accounts,DC=microsoft,DC=com

LDAP Bind Password
********************

eg: Password01

LDAP User DN Template:
blank

LDAP Group Type:
MemberDNGroupType

LDAP Require Group:
CN=<awx user group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>

eg: CN=awx_user_group,OU=administration groups,DC=microsoft,DC=com

LDAP Deny Group:
blank

LDAP Start TLS:
Off

LDAP User Search

[
 "DC=<domain name>,DC=<top level domain>",
 "SCOPE_SUBTREE",
 "(sAMAccountName=%(user)s)"
]

eg:

[
"DC=microsoft,DC=com",
"SCOPE_SUBTREE",
"(sAMAccountName=%(user)s)"
]

LDAP Group Search

[
 "OU=<ou name>,DC=<domain name>,DC=<top level domain>",
 "SCOPE_SUBTREE",
 "(objectClass=group)"
]

eg:

[
"OU=administration groups,DC=microsoft,DC=com",
"SCOPE_SUBTREE",
"(objectClass=group)"
]

LDAP User Attribute Map

{
 "first_name": "givenName",
 "last_name": "sn",
 "email": "mail"
}

LDAP User Flags by Group

{
 "is_superuser": "cn=<super users group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>"
}

eg:

{
"is_superuser": "cn=awx_super_users,OU=administration groups,DC=microsoft,DC=com"
}

LDAP Organization Map

{
 "<Organisation name in AWX>": {
  "users": true,
  "admins": "OU=<org admins ou name>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
  "remove_admins": false,
  "remove_users": false
 }
}

eg:

{
"Microsoft": {
 "users": true,
 "admins": "OU=devops team,OU=administration groups,DC=microsoft,DC=com",
 "remove_admins": false,
 "remove_users": false
}
}

LDAP Team Map

{
 "<team name 1>": {
  "organization": "<team name 1>",
  "users": "CN=<team group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
  "remove": true
 },
 "<team name 2>": {
  "organization": "<team name 2>",
  "users": "CN=<team group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
  "remove": true
 }
}

eg:

{
"DevOps": {
 "organization": "DevOps",
 "users": "CN=ops team,OU=administration groups,DC=microsoft,DC=com",
 "remove": true
},
"Developers": {
 "organization": "Developers",
 "users": "CN=dev team,OU=administration groups,DC=microsoft,DC=com",
 "remove": true
}
}

[huihuiyang]

The "save" button is grey even I finished all the fields. Does anyone meet the same situation?

[dandandanp]

What version of AWX have you deployed?
Early versions had the LDAP authentication disabled.
8c2b990

[tech-dad]

I am running the latest version of AWX. I will try the setup above. Thanks everyone for the feedback

[iostat42]

@zs-jaggaer I was able to setup LDAP authentication using the setup provided above.

At first I kept getting a failed to map the username to a DN error and the logs would show that zero objects were returned.

I had not set LDAP Require Group thinking it was not needed. Once I set that along with the other settings everything worked perfectly.

Thank you @dandandanp !

[matburt]

Looks like we're in good shape? I'm going to close this one... let us know if there's more needed.

[inawaz123]

@dandandanp if i dont have service account and want to use it for all users what is the best way to do ?? can you reply.

[Win32Sector]

When you use Active directory, you can to try LDAP Group Type "ActiveDirectoryGroupType".

In my case, MemberDNSGroupType doesn't work.