Configuring AWX (or Ansible Tower) to use LDAP authentication and Active Directory
I’m an idiot when it comes to LDAP, so I stumbled and struggled for a long time with getting it to work with my AWX instance. After some Googling I found this Github issue where a user documented how they filled out each field in the LDAP configuration.
Following their examples, I was able to get LDAP authentication using Active Directory working exactly how I wanted it! I’m going to explain each field and provide the examples that were provided in the Github issue.
Let’s get started:
LDAP SERVER URI: either FQDN or IP. Note that you do need the ldap:// prefix and the port number after.
ldap://<server.fqdn>:389
LDAP BIND DN: The distinguished name of the user that will be used to talk to the LDAP or Active Directory server. Typically a service account.
CN=<account name>,OU=<ou name>,DC=<domain name>,DC=<top level domain>
EXAMPLE: CN=awx_service_account,OU=service accounts,DC=contoso,DC=com
LDAP BIND PASSWORD: pretty self explanatory. This is the password of the user that will be used to talk to the LDAP server.
LDAP USER DN TEMPLATE: I left this blank in favor of using the LDAP USER SEARCH
field instead.
LDAP GROUP TYPE: This depends on your use case. In my case I used ActiveDirectoryGroupType
since I’m using Active Directory.
Note that if you choose ActiveDirectoryGroupType
your LDAP GROUP TYPE PARAMETERS
must not have "member_attr": "member"
or you will get an error on saving. This is a known bug.
LDAP REQUIRE GROUP: Group DN required to login. If specified, user must be a member of this group to login via LDAP.
CN=<awx user group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>
EXAMPLE: CN=awx_user_group,OU=administration groups,DC=contoso,DC=com
LDAP DENY GROUP: Like the above, but a group to deny instead. This can take multiple groups. I left this blank.
LDAP Start TLS: If you are using LDAP with TLS and your client is required to issue a STARTTLS command before authenticating, change this to On.
LDAP USER SEARCH: LDAP search query to find users. Any user that matches the given pattern will be able to login to AWX. This particular example will use a user’s SAM Account Name to auth.
[
"DC=<domain name>,DC=<top level domain>",
"SCOPE_SUBTREE",
"(sAMAccountName=%(user)s)"
]
// EXAMPLE
[
"DC=contoso,DC=com",
"SCOPE_SUBTREE",
"(sAMAccountName=%(user)s)"
]
LDAP GROUP SEARCH: Users are mapped to organizations based on their membership in LDAP groups. This setting defines the LDAP search query to find groups.
[
"OU=<ou name>,DC=<domain name>,DC=<top level domain>",
"SCOPE_SUBTREE",
"(objectClass=group)"
]
// EXAMPLE
[
"OU=administration groups,DC=contoso,DC=com",
"SCOPE_SUBTREE",
"(objectClass=group)"
]
LDAP USER ATTRIBUTE MAP: This maps LDAP user info to Tower user attributes.
{
"first_name": "givenName",
"last_name": "sn",
"email": "userPrincipalName"
}
LDAP USER FLAGS BY GROUP: Give users in certain groups superuser or system_auditor roles.
{
"is_superuser": "cn=<super users group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>"
}
// EXAMPLE
{
"is_superuser": "cn=awx_super_users,OU=administration groups,DC=contoso,DC=com"
}
LDAP ORGANIZATION MAP: Map users in certain groups to a Tower organization, and give them Admin or User roles.
{
"<Organisation name in AWX>": {
"users": true,
"admins": "OU=<org admins ou name>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
"remove_admins": false,
"remove_users": false
}
}
// EXAMPLE
{
"contoso": {
"users": true,
"admins": "OU=devops team,OU=administration groups,DC=contoso,DC=com",
"remove_admins": false,
"remove_users": false
}
}
LDAP TEAM MAP: Finally, map users into a Tower team.
{
"<team name 1>": {
"organization": "<Organization name from above>",
"users": "CN=<team group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
"remove": true
},
"<team name 2>": {
"organization": "<team name 2>",
"users": "CN=<team group>,OU=<ou name>,DC=<domain name>,DC=<top level domain>",
"remove": true
}
}
After all the fields have been filled out, your users should be able to log in to the AWX instance using their SAM Account name, without any qualifying information like DOMAIN\ or @domain.com
Note that AWX does not do an initial sync of users, but instead creates and updates users as people log in with their LDAP credentials.
Comments
Markdown is supported in comments.
Your email is only required to notify you of replies. You are not required to enter your email.
An anonymized version of your IP is stored to generate a hash for your user avatar.
Author replies are highlighted with a purple glow.