Awx: Add a (periodic?) sync of LDAP user data

Created on 26 Sep 2017 · 7Comments · Source: ansible/awx

ISSUE TYPE

Feature Idea

COMPONENT NAME

SUMMARY

If you are using LDAP to map users/organizations/teams, and want to configure RBAC, you cannot configure RBAC details for a user/org/team unless someone from that user/org/team has logged into AWX.

To solve this, there should be an option to do a one-off or periodic sync of user data from the identity provider into AWX, to create the appropriate structures such that RBAC delegation can be added.

ADDITIONAL INFORMATION

api ui needs_devel enhancement

Source

wenottingham

👍17

All 7 comments

Our customer wants to this for RADIUS as well.

saito-hideki on 13 Oct 2017

😕2

@saito-hideki How do you propose doing this sync for RADIUS? RADIUS primarily authenticates a single user when they attempt to login, and AFAIK doesn't implement a way to query for all users.

cchurch on 24 Oct 2017

Chatting with @john-westcott-iv and here is a brain dump

If we go as far as "sync all users from LDAP to Tower" this could be more than the company wants. Thus, the syncing of ALL users should be a toggle. Other toggles:
- periodically sync org/team/roles
- rectify deleted users (if user deleted in LDAP, then delete from Tower)

chrismeyersfsu on 1 Aug 2018

👍1

Hi, if any large organsaion wants to provide Tower-as-a-Service in an automated way then an automatic sync to an LDAP would be a big advantage. Is there any method to do this now or could you share how others do this?

stephenmorgan on 26 Aug 2019

How about syncing a specific OU or subtree that could be specified from the Tower UI?

wzzrd on 28 Aug 2019

Alas, Redhat responded to me today: "Unfortunately, the only way to create LDAP users inside of Tower is to have them login. There is no workaround for this. We do currently have an RFE open to add a sync of LDAP user data into Tower, but we do not have any timeline on when or if this may be implemented. This can be tracked here: https://github.com/ansible/awx/issues/306"

In short, no update.

I found a user posting somewhere suggesting he could use api/cli to create normal user account with password, then update database with ldap_dn string and delete password (which I tried) - but still haven't found a way to change the user account property "external_account" to be "ldap".

mnhuttner on 6 Dec 2019

Alas, Redhat responded to me today: "Unfortunately, the only way to create LDAP users inside of Tower is to have them login. There is no workaround for this. We do currently have an RFE open to add a sync of LDAP user data into Tower, but we do not have any timeline on when or if this may be implemented. This can be tracked here: #306"

In short, no update.

I found a user posting somewhere suggesting he could use api/cli to create normal user account with password, then update database with ldap_dn string and delete password (which I tried) - but still haven't found a way to change the user account property "external_account" to be "ldap".

Here's the code that is setting it in the API.

if user.pk and user.profile.ldap_dn and not user.has_usable_password():
account_type = "ldap"

I'm guessing since you've got the ldap_dn, that its the has_usable_password assertion that's missing. I think appending a "!" in front of the password string in the database will then change that user account property.