Awx: LDAP auth integration with self-signed certs broken in 6.0.0

Created on 4 Jul 2019  ยท  5Comments  ยท  Source: ansible/awx
ISSUE TYPE
  • Bug Report
SUMMARY

LDAP authentication against an LDAP server with a self-signed certificate, no longer works. It works if I comment out new code introduced in https://github.com/ansible/awx/commit/11b36982cd83b5571e3376d85af64d57f52d68c0

ENVIRONMENT
  • AWX version: 6.0.0
  • AWX install method: docker on linux (docker-compose)
  • Ansible version: 2.8.1
  • Operating System: rhel7
  • Web Browser: Firefox
STEPS TO REPRODUCE

Have a working LDAP auth config in awx 4.0.0 and 5.0.0, upgrade to 6.0.0 and try to log in.

These connection options works for 4.0.0 and 5.0.0:

# tower-cli setting get AUTH_LDAP_CONNECTION_OPTIONS -f json
{
  "id": "AUTH_LDAP_CONNECTION_OPTIONS",
  "value": {
    "OPT_X_TLS_REQUIRE_CERT": 0,
    "OPT_REFERRALS": 0,
    "OPT_X_TLS_NEWCTX": 0,
    "OPT_NETWORK_TIMEOUT": 30
  }
}
EXPECTED RESULTS

Expect authentication attempt against server with self-signed certificate to be successful, due to option OPT_X_TLS_REQUIRE_CERT.

ACTUAL RESULTS

Authentication attempt fails, with message:
2019-07-03 17:08:51,727 WARNING django_auth_ldap Caught LDAPError while authenticating s10g: SERVER_DOWN({'desc': "Can't contact LDAP server", 'info': 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)'},)

ADDITIONAL INFORMATION

I added some logger statements into the new code introduced with commit 11b3698 such that the code in awx/sso/backends.py looks like this:

        logger.warn("connection_options1 contains: %s " % self.CONNECTION_OPTIONS)
        newctx_option = self.CONNECTION_OPTIONS.pop(ldap.OPT_X_TLS_NEWCTX, None)
        self.CONNECTION_OPTIONS = OrderedDict(self.CONNECTION_OPTIONS)
        logger.warn("connection_options2 contains: %s " % self.CONNECTION_OPTIONS)
        if newctx_option:
            self.CONNECTION_OPTIONS[ldap.OPT_X_TLS_NEWCTX] = newctx_option
            logger.warn("connection_options3 contains: %s " % self.CONNECTION_OPTIONS)
        logger.warn("connection_options4 contains: %s " % self.CONNECTION_OPTIONS)

and now, awx_web's logfile shows me this (note missing "24591: 0"):

2019-07-03 17:08:51,422 WARNING  awx.sso.backends connection_options1 contains: {24582: 0, 8: 0, 24591: 0, 20485: 30}
2019-07-03 17:08:51,426 WARNING  awx.sso.backends connection_options2 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30)])
2019-07-03 17:08:51,428 WARNING  awx.sso.backends connection_options4 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30)])
api high bug
Source
picture s10g

Most helpful comment

@ryanpetrello
Tested with the new code and result was good :)

web_1        | 2019-07-08 07:54:14,235 WARNING  awx.sso.backends connection_options1 contains: {24582: 0, 8: 0, 24591: 0, 20485: 30}
web_1        | 2019-07-08 07:54:14,237 WARNING  awx.sso.backends connection_options2 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30)])
web_1        | 2019-07-08 07:54:14,239 WARNING  awx.sso.backends connection_options3 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30), (24591, 0)])
web_1        | 2019-07-08 07:54:14,241 WARNING  awx.sso.backends connection_options4 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30), (24591, 0)])
web_1        | 2019-07-08 07:54:44,333 DEBUG    django_auth_ldap search_s('OU=Users,OU=EX,DC=ex,DC=example,DC=com', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=s10g,ou=users,ou=ex,dc=ex,dc=example,dc=com
web_1        | 2019-07-08 07:54:44,343 DEBUG    django_auth_ldap Creating Django user s10g
web_1        | 2019-07-08 07:54:44,344 DEBUG    django_auth_ldap Populating Django user s10g
picture s10g on 8 Jul 2019
🎉1 👍1

All 5 comments

@s10g Yep, I see what's up. Thanks for reporting this with the very detailed description - I'll submit a PR.

ryanpetrello picture ryanpetrello on 5 Jul 2019
👍2

@s10g any chance you could give this a try and see if it fixes things for you?

https://github.com/ansible/awx/pull/4276

ryanpetrello picture ryanpetrello on 5 Jul 2019

Next time I have my work laptop up I'll add the added code 'is not None' to the check in backends.py and let you know how it faires thereafter

s10g picture s10g on 5 Jul 2019
👍1

@ryanpetrello
Tested with the new code and result was good :)

web_1        | 2019-07-08 07:54:14,235 WARNING  awx.sso.backends connection_options1 contains: {24582: 0, 8: 0, 24591: 0, 20485: 30}
web_1        | 2019-07-08 07:54:14,237 WARNING  awx.sso.backends connection_options2 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30)])
web_1        | 2019-07-08 07:54:14,239 WARNING  awx.sso.backends connection_options3 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30), (24591, 0)])
web_1        | 2019-07-08 07:54:14,241 WARNING  awx.sso.backends connection_options4 contains: OrderedDict([(24582, 0), (8, 0), (20485, 30), (24591, 0)])
web_1        | 2019-07-08 07:54:44,333 DEBUG    django_auth_ldap search_s('OU=Users,OU=EX,DC=ex,DC=example,DC=com', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=s10g,ou=users,ou=ex,dc=ex,dc=example,dc=com
web_1        | 2019-07-08 07:54:44,343 DEBUG    django_auth_ldap Creating Django user s10g
web_1        | 2019-07-08 07:54:44,344 DEBUG    django_auth_ldap Populating Django user s10g
s10g picture s10g on 8 Jul 2019
🎉1 👍1

Thanks for reporting this and helping test, @s10g!

ryanpetrello picture ryanpetrello on 8 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

icsm2017 picture icsm2017  ยท  4Comments
kakkotetsu picture kakkotetsu  ยท  3Comments
marshmalien picture marshmalien  ยท  3Comments
artmakh picture artmakh  ยท  3Comments
grahamn-gr picture grahamn-gr  ยท  3Comments