Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP login works only once per user #507

Closed
gjsmo opened this issue Aug 22, 2021 · 8 comments · Fixed by ansible/awx#10965
Closed

LDAP login works only once per user #507

gjsmo opened this issue Aug 22, 2021 · 8 comments · Fixed by ansible/awx#10965
Labels
type:bug Something isn't working

Comments

@gjsmo
Copy link

gjsmo commented Aug 22, 2021

ISSUE TYPE
  • Bug Report
SUMMARY

After configuring LDAP, I'm able to login. Attributes and groups seem to sync correctly, After logging out however I can no longer login with that same username. The only error in the awx-task log is awx.api.generics Login failed for user.

ENVIRONMENT
  • AWX version: 19.3.0
  • Operator version: 0.12.0
  • Kubernetes version: 1.20.0-1089
  • AWX install method: OKD 4.7
STEPS TO REPRODUCE
  • Install AWX and configure LDAP authentication as below.
  • Login with an LDAP user
  • Logout
  • Login again
EXPECTED RESULTS

User should be able to login again successfully.

ACTUAL RESULTS

User can only login once.

ADDITIONAL INFORMATION

Redacted config as follows:

LDAP Server URI
ldap://ldap-server.example.com/
LDAP Bind DN
uid=svc_awx,cn=sysaccounts,cn=etc,dc=example,dc=com
LDAP Bind Password
Encrypted
LDAP User DN Template
uid=%(user)s,cn=users,cn=accounts,dc=example,dc=com
LDAP Group Type
GroupOfNamesType
LDAP Require Group
cn=awx-users,cn=groups,cn=accounts,dc=example,dc=com
LDAP Deny Group
Not configured
LDAP Start TLS
On

LDAP User Search
[
  "cn=users,cn=accounts,dc=example,dc=com",
  "SCOPE_SUBTREE",
  "(uid=%(user)s)"
]

LDAP Group Search
[
  "cn=groups,cn=accounts,dc=example,dc=com",
  "SCOPE_SUBTREE",
  "(objectClass=nestedGroup)"
]

LDAP User Attribute Map
{
  "first_name": "givenName",
  "last_name": "sn",
  "email": "mail"
}

LDAP User Flags By Group
{
  "is_superuser": [
    "cn=awx-admins,cn=groups,cn=accounts,dc=example,dc=com"
  ]
}

Deleting the LDAP user using the admin account seems to allow logging in again.

AWX-OPERATOR LOGS
@jorgeyanesdiez
Copy link

I am having the same issue. Furthermore, LDAP users no longer have the "LDAP" label as in previous versions.
image

On a sidenote: If I change the password for the "admin" user, it is reset every time I restart minikube. The issues are probably related.

@felipe4334
Copy link

felipe4334 commented Aug 24, 2021
edited

Same issue here, I have awx-operator 0.13.0 here. I tried creating an awx instance from scratch without restoring from any backups and still the same issue. I have another cluster running AWX 19.2.2 and this issue does not appear there. This issue only appears with new users though, users already configured for LDAP will keep working.
image
The same user that cant be found on AD when adding it and relogging in is the same user that works when LDAP is already configured.

@mhahl
Copy link

mhahl commented Aug 27, 2021

Just confirming I can replicate this issue on the following:

ENVIRONMENT

  • AWX version: 19.3.0
  • Operator version: 0.13.0
  • Kubernetes version: v1.21.3+k3s1
  • AWX install method: k3s

@shanemcd shanemcd added priority:high type:bug Something isn't working labels Aug 27, 2021
@lo78cn
Copy link

lo78cn commented Aug 28, 2021
edited

I face the same issue.

  • it no longer works in 0.13.0/19.3.0 (clean install/deploy); ldap login still possible first time; next login username and password are validated against local database
  • it does work in 0.12.0/19.2.2 (clean install/deploy)
  • existing users after upgrade 0.12.0/19.2.2 -> 0.13.0/19.3.0 still working

there is one required user attribute value missing in the API output (results in missing ldap label in the GUI)

  • "ldap_dn": ""

should be something like:

  • "ldap_dn": "cn=username,ou=users,dc=internal,dc=org,dc=net"

also missing, but less critical for ldap to work

  • "external_account": "ldap",

I was able to fix it, by directly setting ldap_dn in the database table main_profile (dirty hack).

minikube kubectl -- exec -ti awx-postgres-0 -- psql -U awx
update main_profile set ldap_dn = 'cn=username,ou=users,dc=internal,dc=org,dc=net' where id = (select id from auth_user where username = 'username');

@kurokobo
Copy link
Contributor

This seems to be an issue on the AWX side; ansible/awx#10883

@tchellomello tchellomello mentioned this issue Aug 30, 2021
Merged
@tchellomello
Copy link
Contributor

@kurokobo should be fixed by ansible/awx#10965

@kurokobo
Copy link
Contributor

@tchellomello
Thanks for the quick fix!
I look forward to the release of the new version with the fixes included 🚀

This was referenced Sep 1, 2021
Closed
Closed
@kurokobo kurokobo mentioned this issue Sep 19, 2021
Closed
@josue-soares
Copy link

script example for adjust

root@awxansible:~# cat ajusta-usuarios.sh
#!/bin/bash

tower-cli user list --all-pages | egrep -v '(==|admin|username)' | awk -F ' ' '{print$2}' > /tmp/usuarios.txt

for U in $(cat /tmp/usuarios.txt); do
echo "ajustando o usuario $U"
DN=ldapsearch -o ldif-wrap=no -w xxxxxx -H ldap://ldapxxxxxx -b 'ou=xx,dc=xxx,dc=xxx' -D uid=xxx,ou=xxx,dc=xxx,dc=zzz "(uid=$U)" dn | egrep ^dn | awk -F ' ' '{print $2}'
kubectl exec awx-postgres-13-0 -- psql -U awx -d awx -c
"update main_profile set ldap_dn = '$DN'
where id = (select id from auth_user where username = '$U');"
done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Associates ldap_dn on a first User() login tchellomello/awx
9 participants
@mhahl @shanemcd @tchellomello @jorgeyanesdiez @kurokobo @gjsmo @lo78cn @felipe4334 @josue-soares