LDAP auth fails

[AdrianDutu]

ISSUE TYPE

• Bug Report

SUMMARY

After upgrading from 6.1.0 to 9.0.1 the LDAP auth fails with the following error:

10.244.0.0 - - [14/Nov/2019:14:01:39 +0000] "GET /" 400 3887 "-" "-" "-"
2019-11-14 14:01:39,835 WARNING django_auth_ldap Caught LDAPError while authenticating a.addu01: SERVER_DOWN({'desc': "Can't contact LDAP server", 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)
2019-11-14 14:01:39,843 WARNING awx.api.generics Login failed for user a.addu01 from 10.244.2.1
2019-11-14 14:01:39,853 WARNING django.request Unauthorized: /api/login/
2019-11-14 14:01:39,853 WARNING django.request Unauthorized: /api/login/

The same certificates I was using before are installed in /etc/pki/ca-trust/source/anchors.
I am using the same LDAP config as before:

server uri: ldaps://xxxxxx.com:636
ldap bind dn: CN=s.a.xxx,OU=users,DC=bwin,DC=adam
ldap bind password: *****
ldap group type: MemberDNGroupType
ldap require group: CN=prod.awx.access,OU=groups,DC=bwin,DC=adam
ldap user search:
[
"DC=bwin,DC=adam",
"SCOPE_SUBTREE",
"(sAMAccountName=%(user)s)"
]
ldap group search:
[
"DC=bwin,DC=adam",
"SCOPE_SUBTREE",
"(objectClass=group)"
]

ENVIRONMENT

• AWX version: 9.0.1
• AWX install method: kubernetes
• Ansible version: 2.8.5
• Operating System: CentOS7
• Web Browser: Chrome

STEPS TO REPRODUCE

1. Configure LDAP auth with the settings above
2. Install certs on the awx server
3. Try to login with and LDAP user

EXPECTED RESULTS

Login successful.

ACTUAL RESULTS

Certificate validation fails.

ADDITIONAL INFORMATION

[AdrianDutu]

Did anything change regarding the way authentication works?
As mentioned a previous version works and also if I run ldapsearch on the host machine I get back results:

ldapsearch -b "dc=bwin,dc=adam" -D "CN=s.a.awx,OU=users,DC=bwin,DC=adam" -H ldaps://xxx.xxx.com -W '(memberOf=CN=awx.access,OU=groups,DC=bwin,DC=adam)'

If I run the same command in the awx_web container, with debug on, I get:

attempting to connect:
connect success
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS certificate verification: depth: 2, err: 19, subject: /CN=ATVA0WIPKI001-Root, issuer: /CN=ATVA0WIPKI001-Root
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS: can't connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[AdrianDutu]

I found the issue. The CentOS version changed from 7 to 8. Running update-ca-trust fixed the issue.
@ryanpetrello maybe you can do something to run this in the installer playbook as cert auth will not work by default in awx.