Awx: LDAP authentication settings not stored in database

As an update and work around, manually adding the settings in the postgres database seems to work.

So i'm about to close my own bug report. I would want to point out that this issue would not have been created if AWX presented me with an error or in some way the documentation would have pointed out that you cant use "LDAP REQUIRE GROUP" with "LDAP_USER_SEARCH" &| "LDAP_GROUP_SEARCH".

I was helped slightly by the presentation here https://www.ansible.com/resources/webinars-training/ldap-authentication-in-red-hat-ansible-tower eventhough they never proved ldap actually worked.

For completeness, these are the obfuscated settings i have used:

Sub category: ldap

ldap server uri:
ldap://fqdn:389

ldap bind dn:
CN=<user>,OU=<serviceaccount>,DC=some,DC=com

ldap bind password:
******

ldap user dn template:
blank

ldap group type: (copied from video)
GroupOfNamesType

ldap require group: (blank now)
blank

ldap deny group:
blank

ldap start tls:
off

ldap user search: (works now)
[ "DC=some,DC=com", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)" ]

ldap group search: (works now)
[ "DC=some,DC=com", "SCOPE_SUBTREE", "(objectClass=groupOfNames)" ]

ldap user attribute map:
{ "first_name": "givenName", "last_name": "sn", "email": "mail" }

ldap user flags by group:
{ "is_superuser": "CN=<your admin group>,OU=whatever,DC=some,DC=com" }

ldap organization map:
{ "yourORG": { "admins": "OU=<your admin group>,OU=whatever,DC=some,DC=com", "remove_users": false, "remove_admins": false, "users": true } }

ldap team map: (we dont realy use one)
{ "Linux": { "organization": "yourORG", "users": "CN=<your admins linux group>,OU=whatever,DC=some,DC=com", "remove": false } }

Hope this will help others :)

@Riccardo1976 Can you send me the commands that you used to manually insert it into the DB? I've never worked with Postgres and want to make sure I get it correct. Thanks

@bedcruncher Unfortunately i dont have them and would have to reproduce them. But it is besides the point because checking the details in AWX would then overwrite them again.

The issue was that by selecting the ldap require group you cant/couldnt use ldap user search and ldap group search. So basically you would have to figure out the right settings to use.

I've posted an example of what worked for me at the company i worked for at that time. This communicates with MS AD.

@Riccardo1976 I went back through and methodically verified what I had against yours and I was able to get logged in with my AD Creds. So this is working, it just seems very as you stated before Odd and janky...

For completionist sake, here are the settings from the Postgres DB server that get added once it successfully accepts your user auth.

AUTH_LDAP_1_START_TLS | true AUTH_LDAP_SERVER_URI | "ldap://fqdn:389" AUTH_LDAP_BIND_DN | "CN=Ansible,OU=Service_Accounts,DC=SOMENAME,DC=FINAL PART OF DOMAIN" AUTH_LDAP_BIND_PASSWORD | "REMOVED" AUTH_LDAP_START_TLS | false AUTH_LDAP_USER_SEARCH | ["PATH TO USER OU SEARCH PATH", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)"] AUTH_LDAP_USER_DN_TEMPLATE | AUTH_LDAP_USER_ATTR_MAP | {"first_name": "givenName", "last_name": "sn", "email": "mail"} AUTH_LDAP_GROUP_SEARCH | ["PATH TO GROUP OU SEARCH PATH", "SCOPE_SUBTREE", "(objectClass=group)"] AUTH_LDAP_GROUP_TYPE | "GroupOfNamesType" AUTH_LDAP_REQUIRE_GROUP | AUTH_LDAP_DENY_GROUP | AUTH_LDAP_USER_FLAGS_BY_GROUP | {"is_superuser": "SUPER USER OU PATH"} AUTH_LDAP_ORGANIZATION_MAP | {"ORG NAME HERE": {"admins": "SUPER USER PATH", "remove_users": false, "remove_admins": false, "users": true}} AUTH_LDAP_TEAM_MAP | {}

Confirmed wouldnt save config but following @Riccardo1976 procedure and entering it on single line rather than indented, worked