Awx: Configuring AWX to connect to Active Directory

Are there plans in future releases to have a test button either on the page or test upon save?

@zs-jaggaer The test on save feature has been discussed, but I don't see a specific issue for it (yet). May be included as part of #306?

To turn on additional logging for LDAP, look at http://docs.ansible.com/ansible-tower/latest/html/administration/ldap_auth.html#enabling-logging-for-ldap -- you can add this setting in any .py settings file; ldap.py may not exist on new installations.

I use the following for AD, ignore the OU examples they're a bit janky:

Sub Category:
LDAP

LDAP Server URI:
ldap://<server.fqdn>:389

eg: ldap://dc1.microsoft.com:389

LDAP Bind DN:
CN=<account name>,OU=<ou name>,DC=<domain name>,DC=<top level domain>

eg: CN=awx_service_account,OU=service accounts,DC=microsoft,DC=com

LDAP Bind Password
********************

eg: Password01

LDAP User DN Template:
blank

LDAP Group Type:
MemberDNGroupType

LDAP Require Group:
CN=<awx user group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>

eg: CN=awx_user_group,OU=administration groups,DC=microsoft,DC=com

LDAP Deny Group:
blank

LDAP Start TLS:
Off

LDAP User Search

[
 "DC=<domain name>,DC=<top level domain>",
 "SCOPE_SUBTREE",
 "(sAMAccountName=%(user)s)"
]

eg:

[
"DC=microsoft,DC=com",
"SCOPE_SUBTREE",
"(sAMAccountName=%(user)s)"
]

LDAP Group Search

[
 "OU=<ou name>,DC=<domain name>,DC=<top level domain>",
 "SCOPE_SUBTREE",
 "(objectClass=group)"
]

eg:

[
"OU=administration groups,DC=microsoft,DC=com",
"SCOPE_SUBTREE",
"(objectClass=group)"
]

LDAP User Attribute Map

{
 "first_name": "givenName",
 "last_name": "sn",
 "email": "mail"
}

LDAP User Flags by Group

{
 "is_superuser": "cn=<super users group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>"
}

eg:

{
"is_superuser": "cn=awx_super_users,OU=administration groups,DC=microsoft,DC=com"
}

LDAP Organization Map

{
 "<Organisation name in AWX>": {
  "users": true,
  "admins": "OU=<org admins ou name>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
  "remove_admins": false,
  "remove_users": false
 }
}

eg:

{
"Microsoft": {
 "users": true,
 "admins": "OU=devops team,OU=administration groups,DC=microsoft,DC=com",
 "remove_admins": false,
 "remove_users": false
}
}

LDAP Team Map

{
 "<team name 1>": {
  "organization": "<team name 1>",
  "users": "CN=<team group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
  "remove": true
 },
 "<team name 2>": {
  "organization": "<team name 2>",
  "users": "CN=<team group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
  "remove": true
 }
}

eg:

{
"DevOps": {
 "organization": "DevOps",
 "users": "CN=ops team,OU=administration groups,DC=microsoft,DC=com",
 "remove": true
},
"Developers": {
 "organization": "Developers",
 "users": "CN=dev team,OU=administration groups,DC=microsoft,DC=com",
 "remove": true
}
}

The "save" button is grey even I finished all the fields. Does anyone meet the same situation?

What version of AWX have you deployed?
Early versions had the LDAP authentication disabled.
https://github.com/ansible/awx/commit/8c2b9905d1cefe3fb605e027a4642ed2b8a4da9b

I am running the latest version of AWX. I will try the setup above. Thanks everyone for the feedback

@zs-jaggaer I was able to setup LDAP authentication using the setup provided above.

At first I kept getting a failed to map the username to a DN error and the logs would show that zero objects were returned.

I had not set LDAP Require Group thinking it was not needed. Once I set that along with the other settings everything worked perfectly.

Thank you @dandandanp !

Looks like we're in good shape? I'm going to close this one... let us know if there's more needed.

@dandandanp if i dont have service account and want to use it for all users what is the best way to do ?? can you reply.

When you use Active directory, you can to try LDAP Group Type "ActiveDirectoryGroupType".

In my case, MemberDNSGroupType doesn't work.