diff options
| author | Djebran Lezzoum <ldjebran@gmail.com> | 2024-10-02 15:40:16 +0200 |
|---|---|---|
| committer | jessicamack <jmack@redhat.com> | 2024-10-15 23:43:32 +0200 |
| commit | f22b192fb4eac82dbe29d7c4c95c69dd6813382d (patch) | |
| tree | a392fec43af0ee9b6f2680ffee1538b1547dc47a /tools | |
| parent | Prettier DRF pages when using trusted proxy (#15579) (diff) | |
| download | awx-f22b192fb4eac82dbe29d7c4c95c69dd6813382d.tar.xz awx-f22b192fb4eac82dbe29d7c4c95c69dd6813382d.zip | |
Remove LDAP authentication (#15546)
Remove LDAP authentication from AWX
Diffstat (limited to 'tools')
13 files changed, 1 insertions, 458 deletions
diff --git a/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 b/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 index dbfc821e89..0ab08ca6d1 100644 --- a/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 +++ b/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 @@ -44,7 +44,6 @@ RUN dnf -y update && dnf install -y 'dnf-command(config-manager)' && \ libtool-ltdl-devel \ make \ nss \ - openldap-devel \ patch \ postgresql \ postgresql-devel \ @@ -127,7 +126,6 @@ RUN dnf -y update && dnf install -y 'dnf-command(config-manager)' && \ glibc-langpack-en \ krb5-workstation \ nginx \ - "openldap >= 2.6.2-3" \ postgresql \ python3.11 \ "python3.11-devel" \ diff --git a/tools/docker-compose/README.md b/tools/docker-compose/README.md index 34db342021..77e10233bc 100644 --- a/tools/docker-compose/README.md +++ b/tools/docker-compose/README.md @@ -272,7 +272,6 @@ $ make docker-compose - [Start a Cluster](#start-a-cluster) - [Start with Minikube](#start-with-minikube) - [SAML and OIDC Integration](#saml-and-oidc-integration) -- [OpenLDAP Integration](#openldap-integration) - [Splunk Integration](#splunk-integration) - [tacacs+ Integration](#tacacs+-integration) @@ -436,41 +435,6 @@ Note: The OIDC adapter performs authentication only, not authorization. So any u If you Keycloak configuration is not working and you need to rerun the playbook to try a different `container_reference` or `oidc_reference` you can log into the Keycloak admin console on port 8443 and select the AWX realm in the upper left drop down. Then make sure you are on "Ream Settings" in the Configure menu option and click the trash can next to AWX in the main page window pane. This will completely remove the AWX ream (which has both SAML and OIDC settings) enabling you to re-run the plumb playbook. -### OpenLDAP Integration - -OpenLDAP is an LDAP provider that can be used to test AWX with LDAP integration. This section describes how to build a reference OpenLDAP instance and plumb it with your AWX for testing purposes. - -First, be sure that you have the awx.awx collection installed by running `make install_collection`. - -Anytime you want to run an OpenLDAP instance alongside AWX we can start docker-compose with the LDAP option to get an LDAP instance with the command: -```bash -LDAP=true make docker-compose -``` - -Once the containers come up two new ports (389, 636) should be exposed and the LDAP server should be running on those ports. The first port (389) is non-SSL and the second port (636) is SSL enabled. - -Now we are ready to configure and plumb OpenLDAP with AWX. To do this we have provided a playbook which will: -* Backup and configure the LDAP adapter in AWX. NOTE: this will back up your existing settings but the password fields can not be backed up through the API, you need a DB backup to recover this. - -Note: The default configuration will utilize the non-tls connection. If you want to use the tls configuration you will need to work through TLS negotiation issues because the LDAP server is using a self signed certificate. - -You can run the playbook like: -```bash -export CONTROLLER_USERNAME=<your username> -export CONTROLLER_PASSWORD=<your password> -ansible-playbook tools/docker-compose/ansible/plumb_ldap.yml -``` - - -Once the playbook is done running LDAP should now be setup in your development environment. This realm has four users with the following username/passwords: -1. awx_ldap_unpriv:unpriv123 -2. awx_ldap_admin:admin123 -3. awx_ldap_auditor:audit123 -4. awx_ldap_org_admin:orgadmin123 - -The first account is a normal user. The second account will be a super user in AWX. The third account will be a system auditor in AWX. The fourth account is an org admin. All users belong to an org called "LDAP Organization". To log in with one of these users go to the AWX login screen enter the username/password. - - ### Splunk Integration Splunk is a log aggregation tool that can be used to test AWX with external logging integration. This section describes how to build a reference Splunk instance and plumb it with your AWX for testing purposes. @@ -550,7 +514,7 @@ To create a secret connected to this vault in AWX you can run the following play ```bash export CONTROLLER_USERNAME=<your username> export CONTROLLER_PASSWORD=<your password> -ansible-playbook tools/docker-compose/ansible/plumb_vault.yml -e enable_ldap=false +ansible-playbook tools/docker-compose/ansible/plumb_vault.yml ``` This will create the following items in your AWX instance: @@ -575,53 +539,6 @@ If you have a playbook like: And run it through AWX with the credential `Credential From Vault via Token Auth` tied to it, the debug should result in `this_is_the_secret_value`. If you run it through AWX with the credential `Credential From Vault via Userpass Auth`, the debug should result in `this_is_the_userpass_secret_value`. -### HashiVault with LDAP - -If you wish to have your OpenLDAP container connected to the Vault container, you will first need to have the OpenLDAP container running alongside AWX and Vault. - - -```bash - -VAULT=true LDAP=true make docker-compose - -``` - -Similar to the above, you will need to unseal the vault before we can run the other needed playbooks. - -```bash - -ansible-playbook tools/docker-compose/ansible/unseal_vault.yml - -``` - -Now that the vault is unsealed, we can plumb the vault container now while passing true to enable_ldap extra var. - - -```bash - -export CONTROLLER_USERNAME=<your username> - -export CONTROLLER_PASSWORD=<your password> - -ansible-playbook tools/docker-compose/ansible/plumb_vault.yml -e enable_ldap=true - -``` - -This will populate your AWX instance with LDAP specific items. - -- A vault LDAP Lookup Cred tied to the LDAP `awx_ldap_vault` user called `Vault LDAP Lookup Cred` -- A credential called `Credential From HashiCorp Vault via LDAP Auth` which is of the created type using the `Vault LDAP Lookup Cred` to get the secret. - -And run it through AWX with the credential `Credential From HashiCorp Vault via LDAP Auth` tied to it, the debug should result in `this_is_the_ldap_secret_value`. - -The extremely non-obvious input is the fact that the fact prefixes "data/" unexpectedly. -This was discovered by inspecting the secret with the vault CLI, which may help with future troubleshooting. - -``` -docker exec -it -e VAULT_TOKEN=<token> tools_vault_1 vault kv get --address=http://127.0.0.1:1234 my_engine/my_root/my_folder -``` - - ### Prometheus and Grafana integration See docs at https://github.com/ansible/awx/blob/devel/tools/grafana/README.md diff --git a/tools/docker-compose/ansible/plumb_ldap.yml b/tools/docker-compose/ansible/plumb_ldap.yml deleted file mode 100644 index 56b3dcdbab..0000000000 --- a/tools/docker-compose/ansible/plumb_ldap.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: Plumb an ldap instance - hosts: localhost - connection: local - gather_facts: False - vars: - awx_host: "https://localhost:8043" - tasks: - - name: Load existing and new LDAP settings - ansible.builtin.set_fact: - existing_ldap: "{{ lookup('awx.awx.controller_api', 'settings/ldap', host=awx_host, verify_ssl=false) }}" - new_ldap: "{{ lookup('template', 'ldap_settings.json.j2') }}" - - - name: Display existing LDAP configuration - ansible.builtin.debug: - msg: - - "Here is your existing LDAP configuration for reference:" - - "{{ existing_ldap }}" - - - ansible.builtin.pause: - prompt: "Continuing to run this will replace your existing ldap settings (displayed above). They will all be captured. Be sure that is backed up before continuing" - - - name: Write out the existing content - ansible.builtin.copy: - dest: "../_sources/existing_ldap_adapter_settings.json" - content: "{{ existing_ldap }}" - - - name: Configure AWX LDAP adapter - awx.awx.settings: - settings: "{{ new_ldap }}" - controller_host: "{{ awx_host }}" - validate_certs: False diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml index 669f2cfe20..6bc1107580 100644 --- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml @@ -23,15 +23,6 @@ work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem" # SSO variables enable_keycloak: false -enable_ldap: false -ldap_public_key_file_name: 'ldap.cert' -ldap_private_key_file_name: 'ldap.key' -ldap_cert_dir: '{{ sources_dest }}/ldap_certs' -ldap_diff_dir: '{{ sources_dest }}/ldap_diffs' -ldap_public_key_file: '{{ ldap_cert_dir }}/{{ ldap_public_key_file_name }}' -ldap_private_key_file: '{{ ldap_cert_dir }}/{{ ldap_private_key_file_name }}' -ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=" - # Hashicorp Vault enable_vault: false vault_tls: false diff --git a/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml b/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml deleted file mode 100644 index 1e0185a088..0000000000 --- a/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Create LDAP cert directory - file: - path: "{{ item }}" - state: directory - loop: - - "{{ ldap_cert_dir }}" - - "{{ ldap_diff_dir }}" - -- name: include vault vars - include_vars: "{{ hashivault_vars_file }}" - -- name: General LDAP cert - command: 'openssl req -new -x509 -days 365 -nodes -out {{ ldap_public_key_file }} -keyout {{ ldap_private_key_file }} -subj "{{ ldap_cert_subject }}"' - args: - creates: "{{ ldap_public_key_file }}" - -- name: Copy ldap.diff - ansible.builtin.template: - src: "ldap.ldif.j2" - dest: "{{ ldap_diff_dir }}/ldap.ldif" diff --git a/tools/docker-compose/ansible/roles/sources/tasks/main.yml b/tools/docker-compose/ansible/roles/sources/tasks/main.yml index 0f1149053e..5637f62546 100644 --- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml +++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml @@ -97,10 +97,6 @@ creates: "{{ work_sign_public_keyfile }}" when: sign_work | bool -- name: Include LDAP tasks if enabled - include_tasks: ldap.yml - when: enable_ldap | bool - - name: Include vault TLS tasks if enabled include_tasks: vault_tls.yml when: enable_vault | bool diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 index a56f861fda..80f075ab41 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 @@ -146,31 +146,6 @@ services: depends_on: - postgres {% endif %} -{% if enable_ldap|bool %} - ldap: - image: bitnami/openldap:2 - container_name: tools_ldap_1 - hostname: ldap - user: "{{ ansible_user_uid }}" - networks: - - awx - ports: - - "389:1389" - - "636:1636" - environment: - LDAP_ADMIN_USERNAME: admin - LDAP_ADMIN_PASSWORD: admin - LDAP_CUSTOM_LDIF_DIR: /opt/bitnami/openldap/ldiffs - LDAP_ENABLE_TLS: "yes" - LDAP_LDAPS_PORT_NUMBER: 1636 - LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }} - LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }} - LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/{{ ldap_private_key_file_name }} - volumes: - - 'openldap_data:/bitnami/openldap' - - '../../docker-compose/_sources/ldap_certs:/opt/bitnami/openldap/certs' - - '../../docker-compose/_sources/ldap_diffs:/opt/bitnami/openldap/ldiffs' -{% endif %} {% if enable_splunk|bool %} splunk: image: splunk/splunk:latest @@ -376,11 +351,6 @@ volumes: redis_socket_{{ container_postfix }}: name: tools_redis_socket_{{ container_postfix }} {% endfor -%} -{% if enable_ldap|bool %} - openldap_data: - name: tools_ldap_1 - driver: local -{% endif %} {% if enable_vault|bool %} hashicorp_vault_data: name: tools_vault_1 diff --git a/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2 b/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2 deleted file mode 100644 index 9deaf836cd..0000000000 --- a/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2 +++ /dev/null @@ -1,99 +0,0 @@ -dn: dc=example,dc=org -objectClass: dcObject -objectClass: organization -dc: example -o: example - -dn: ou=users,dc=example,dc=org -ou: users -objectClass: organizationalUnit - -dn: cn=awx_ldap_admin,ou=users,dc=example,dc=org -mail: admin@example.org -sn: LdapAdmin -cn: awx_ldap_admin -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -userPassword: admin123 -givenName: awx - -dn: cn=awx_ldap_auditor,ou=users,dc=example,dc=org -mail: auditor@example.org -sn: LdapAuditor -cn: awx_ldap_auditor -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -userPassword: audit123 -givenName: awx - -dn: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org -mail: unpriv@example.org -sn: LdapUnpriv -cn: awx_ldap_unpriv -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -givenName: awx -userPassword: unpriv123 - -dn: ou=groups,dc=example,dc=org -ou: groups -objectClass: top -objectClass: organizationalUnit - -dn: cn=awx_users,ou=groups,dc=example,dc=org -cn: awx_users -objectClass: top -objectClass: groupOfNames -member: cn=awx_ldap_admin,ou=users,dc=example,dc=org -member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org -member: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org -member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org - -dn: cn=awx_admins,ou=groups,dc=example,dc=org -cn: awx_admins -objectClass: top -objectClass: groupOfNames -member: cn=awx_ldap_admin,ou=users,dc=example,dc=org - -dn: cn=awx_auditors,ou=groups,dc=example,dc=org -cn: awx_auditors -objectClass: top -objectClass: groupOfNames -member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org - -dn: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org -mail: org.admin@example.org -sn: LdapOrgAdmin -cn: awx_ldap_org_admin -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -givenName: awx -userPassword: orgadmin123 - -dn: cn=awx_org_admins,ou=groups,dc=example,dc=org -cn: awx_org_admins -objectClass: top -objectClass: groupOfNames -member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org - -{% if enable_ldap|bool and enable_vault|bool %} -dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org -changetype: add -mail: vault@example.org -sn: LdapVaultAdmin -cn: {{ vault_ldap_username }} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: inetOrgPerson -userPassword: {{ vault_ldap_password }} -givenName: awx -{% endif %} diff --git a/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 b/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 index 42a5d56366..1be38f43e2 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 @@ -42,10 +42,6 @@ OPTIONAL_API_URLPATTERN_PREFIX = '{{ api_urlpattern_prefix }}' # Enable the following line to turn on database settings logging. # LOGGING['loggers']['awx.conf']['level'] = 'DEBUG' -# Enable the following lines to turn on LDAP auth logging. -# LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console'] -# LOGGING['loggers']['django_auth_ldap']['level'] = 'DEBUG' - {% if enable_otel|bool %} LOGGING['handlers']['otel'] |= { 'class': 'awx.main.utils.handlers.OTLPHandler', diff --git a/tools/docker-compose/ansible/roles/vault/defaults/main.yml b/tools/docker-compose/ansible/roles/vault/defaults/main.yml index 58e0153b7f..36feeb2868 100644 --- a/tools/docker-compose/ansible/roles/vault/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/vault/defaults/main.yml @@ -5,8 +5,5 @@ vault_cert_dir: "{{ sources_dest }}/vault_certs" vault_server_cert: "{{ vault_cert_dir }}/server.crt" vault_client_cert: "{{ vault_cert_dir }}/client.crt" vault_client_key: "{{ vault_cert_dir }}/client.key" -ldap_ldif: "{{ sources_dest }}/ldap.ldifs/ldap.ldif" -vault_ldap_username: "awx_ldap_vault" -vault_ldap_password: "vault123" vault_userpass_username: "awx_userpass_admin" vault_userpass_password: "userpass123" diff --git a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml index 8c7230c6d1..ac7d60b8ec 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml @@ -92,74 +92,6 @@ validate_certs: false token: "{{ Initial_Root_Token }}" - - name: Configure the vault ldap auth - block: - - name: Create ldap auth mount - flowerysong.hvault.write: - path: "sys/auth/ldap" - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - data: - type: "ldap" - register: vault_auth_ldap - changed_when: vault_auth_ldap.result.errors | default([]) | length == 0 - failed_when: - - vault_auth_ldap.result.errors | default([]) | length > 0 - - "'path is already in use at ldap/' not in vault_auth_ldap.result.errors | default([])" - - - name: Create ldap engine - flowerysong.hvault.engine: - path: "ldap_engine" - type: "kv" - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - - - name: Create a ldap secret - flowerysong.hvault.kv: - mount_point: "ldap_engine/ldaps_root" - key: "ldap_secret" - value: - my_key: "this_is_the_ldap_secret_value" - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - - - name: Configure ldap auth - flowerysong.hvault.ldap_config: - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - url: "ldap://ldap:1389" - binddn: "cn=awx_ldap_vault,ou=users,dc=example,dc=org" - bindpass: "vault123" - userdn: "ou=users,dc=example,dc=org" - deny_null_bind: "false" - discoverdn: "true" - - - name: Create ldap access policy - flowerysong.hvault.policy: - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - name: "ldap_engine" - policy: - ldap_engine/*: [create, read, update, delete, list] - sys/mounts:/*: [create, read, update, delete, list] - sys/mounts: [read] - - - name: Add awx_ldap_vault user to auth_method - flowerysong.hvault.ldap_user: - vault_addr: "{{ vault_addr_from_host }}" - validate_certs: false - token: "{{ Initial_Root_Token }}" - state: present - name: "{{ vault_ldap_username }}" - policies: - - "ldap_engine" - when: enable_ldap | bool - - name: Create userpass engine flowerysong.hvault.engine: path: "userpass_engine" diff --git a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml index 0e87daef6f..f3fc709b84 100644 --- a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml +++ b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml @@ -78,56 +78,6 @@ secret_path: "/my_root/my_folder" secret_version: "" -- name: Create a HashiCorp Vault Credential for LDAP - awx.awx.credential: - credential_type: HashiCorp Vault Secret Lookup - name: Vault LDAP Lookup Cred - organization: Default - controller_host: "{{ awx_host }}" - controller_username: admin - controller_password: "{{ admin_password }}" - validate_certs: false - inputs: - api_version: "v1" - default_auth_path: "ldap" - kubernetes_role: "" - namespace: "" - url: "{{ vault_addr_from_container }}" - username: "{{ vault_ldap_username }}" - password: "{{ vault_ldap_password }}" - register: vault_ldap_cred - when: enable_ldap | bool - -- name: Create a credential from the Vault LDAP Custom Cred Type - awx.awx.credential: - credential_type: "{{ custom_vault_cred_type.id }}" - controller_host: "{{ awx_host }}" - controller_username: admin - controller_password: "{{ admin_password }}" - validate_certs: false - name: Credential From HashiCorp Vault via LDAP Auth - inputs: {} - organization: Default - register: custom_credential_via_ldap - when: enable_ldap | bool - -- name: Use the Vault LDAP Credential the new credential - awx.awx.credential_input_source: - input_field_name: password - target_credential: "{{ custom_credential_via_ldap.id }}" - source_credential: "{{ vault_ldap_cred.id }}" - controller_host: "{{ awx_host }}" - controller_username: admin - controller_password: "{{ admin_password }}" - validate_certs: false - metadata: - auth_path: "" - secret_backend: "ldap_engine" - secret_key: "my_key" - secret_path: "ldaps_root/ldap_secret" - secret_version: "" - when: enable_ldap | bool - - name: Create a HashiCorp Vault Credential for UserPass awx.awx.credential: credential_type: HashiCorp Vault Secret Lookup diff --git a/tools/docker-compose/ansible/templates/ldap_settings.json.j2 b/tools/docker-compose/ansible/templates/ldap_settings.json.j2 deleted file mode 100644 index 793270d7c9..0000000000 --- a/tools/docker-compose/ansible/templates/ldap_settings.json.j2 +++ /dev/null @@ -1,52 +0,0 @@ -{ - "AUTH_LDAP_1_SERVER_URI": "ldap://ldap:1389", - "AUTH_LDAP_1_BIND_DN": "cn=admin,dc=example,dc=org", - "AUTH_LDAP_1_BIND_PASSWORD": "admin", - "AUTH_LDAP_1_START_TLS": false, - "AUTH_LDAP_1_CONNECTION_OPTIONS": { - "OPT_REFERRALS": 0, - "OPT_NETWORK_TIMEOUT": 30 - }, - "AUTH_LDAP_1_USER_SEARCH": [ - "ou=users,dc=example,dc=org", - "SCOPE_SUBTREE", - "(cn=%(user)s)" - ], - "AUTH_LDAP_1_USER_DN_TEMPLATE": "cn=%(user)s,ou=users,dc=example,dc=org", - "AUTH_LDAP_1_USER_ATTR_MAP": { - "first_name": "givenName", - "last_name": "sn", - "email": "mail" - }, - "AUTH_LDAP_1_GROUP_SEARCH": [ - "ou=groups,dc=example,dc=org", - "SCOPE_SUBTREE", - "(objectClass=groupOfNames)" - ], - "AUTH_LDAP_1_GROUP_TYPE": "MemberDNGroupType", - "AUTH_LDAP_1_GROUP_TYPE_PARAMS": { - "member_attr": "member", - "name_attr": "cn" - }, - "AUTH_LDAP_1_REQUIRE_GROUP": "cn=awx_users,ou=groups,dc=example,dc=org", - "AUTH_LDAP_1_DENY_GROUP": null, - "AUTH_LDAP_1_USER_FLAGS_BY_GROUP": { - "is_superuser": [ - "cn=awx_admins,ou=groups,dc=example,dc=org" - ], - "is_system_auditor": [ - "cn=awx_auditors,ou=groups,dc=example,dc=org" - ] - }, - "AUTH_LDAP_1_ORGANIZATION_MAP": { - "LDAP Organization": { - "users": true, - "remove_admins": false, - "remove_users": true, - "admins": [ - "cn=awx_org_admins,ou=groups,dc=example,dc=org" - ] - } - }, - "AUTH_LDAP_1_TEAM_MAP": {} -} |