AWX/LDAP: Difference between revisions

LDAP USER SEARCH

[
"OU=Users,DC=website,DC=com",
"SCOPE_SUBTREE",
"(cn=%(user)s)"
]

The first line specifies where to search for users in the LDAP tree.

The second line specifies the scope where the users should be searched:

SCOPE_BASE: This value is used to indicate searching only the entry at the base DN, resulting in only that entry being returned

SCOPE_ONELEVEL: This value is used to indicate searching all entries one level under the base DN - but not including the base DN and not including any entries under that one level under the base DN.

SCOPE_SUBTREE: This value is used to indicate searching of all entries at all levels under and including the specified base DN.

The third line specifies the key name where the user name is stored.

==

AWX Settings

LDAP Server URI:  ldaps://ldap.example.com:636
LDAP Bind Password:  XXXX
LDAP Group Type:  MemberDNGroupType
LDAP Start TLS:  On
LDAP Bind DN:  CN=awx-service-account,OU=STD,OU=ServiceAccts,OU=UsersAndGroups,OU=Accounts,DC=ad,DC=example,DC=com
LDAP User DN Template:  
LDAP Require Group:  {}
LDAP Deny Group:  {}
LDAP User Search:  {}
LDAP Group Search:  {}
LDAP User Attribute Map:  {}
LDAP Group Type Parameters:  {}
LDAP User Flags By Group:  {}
LDAP Organization Map:  {}
LDAP Team Map:  {}

AWX Field Details

• LDAP Server URI - URI to connect to LDAP server, such as "ldap://ldap.example.com:389" (non-SSL) or "ldaps://ldap.example.com:636" (SSL). Multiple LDAP servers may be specified by separating with spaces or commas. LDAP authentication is disabled if this parameter is empty.
  • Default: ""
• LDAP Bind Password - Password used to bind LDAP user account.
  • Default: ""
• LDAP Group Type - The group type may need to be changed based on the type of the LDAP server. Values are listed at: https://django-auth-ldap.readthedocs.io/en/stable/groups.html#types-of-groups
  • Default: MemberDNGroupType
• LDAP Start TLS (On/Off) - Whether to enable TLS when the LDAP connection is not using SSL.
  • Default: Off
• LDap Bind DN - DN (Distinguished Name) of user to bind for all search queries. This is the system user account we will use to login to query LDAP for other user information. Refer to the documentation for example syntax.
  • Default: ""
• LDAP User DN Template - Alternative to user search, if user DNs are all of the same format. This approach is more efficient for user lookups than searching if it is usable in your organizational environment. If this setting has a value it will be used instead of AUTH_LDAP_USER_SEARCH.
  • Default: "" / uid=%(user)s,OU=Users,DC=example,DC=com
• LDAP Require Group - Group DN required to login. If specified, user must be a member of this group to login via LDAP. If not set, everyone in LDAP that matches the user search will be able to login to the service. Only one require group is supported.
  • Default: "" / CN=Service Users,OU=Users,DC=example,DC=com
• LDAP Deny Group - Group DN denied from login. If specified, user will not be allowed to login if a member of this group. Only one deny group is supported.
  • Default: "" / CN=Disabled Users,OU=Users,DC=example,DC=com
• LDAP User Search - LDAP search query to find users. Any user that matches the given pattern will be able to login to the service. The user should also be mapped into an organization (as defined in the AUTH_LDAP_ORGANIZATION_MAP setting). If multiple search queries need to be supported use of "LDAPUnion" is possible. See the documentation for details.
  • Default: []
• LDAP Group Search - Users are mapped to organizations based on their membership in LDAP groups. This setting defines the LDAP search query to find groups. Unlike the user search, group search does not support LDAPSearchUnion.
  • Default: []
• LDAP User Attribute Map - Mapping of LDAP user schema to API user attributes. The default setting is valid for ActiveDirectory but users with other LDAP configurations may need to change the values. Refer to the documentation for additional details.
  • Default: {}
• LDAP Group Type Parameters - Key value parameters to send the chosen group type init method.
  • Default: { "member_attr": "member", "name_attr": "cn" }
• LDAP User Flags By Group - Retrieve users from a given group. At this time, superuser and system auditors are the only groups supported. Refer to the documentation for more detail.
  • Default: {}
• LDAP Organization Map - Mapping between organization admins/users and LDAP groups. This controls which users are placed into which organizations relative to their LDAP group memberships. Configuration details are available in the documentation.
  • Default: {}
• LDAP Team Map - Mapping between team members (users) and LDAP groups. Configuration details are available in the documentation.
  • Default: {}

Binding to LDAP/Active Directory Self Service

Binding to LDAP/Active Directory Self Service
https://sharedspace.sharepoint.com/sites/SpinCoApplicationMigration/SitePages/App-Migration-Self-Service-Instructions.aspx#binding-to-ldap-active-directory

LDAP/Active Directory endpoint:

• Make sure to use TCP port 636, and not 389
• If your server is not joined to the corp.sandisk.com Active Directory domain, you need to install the CORP certificate root chain.
• Primary
  • LDAPS://uls-ap-dcc72.corp.sandisk.com:636
• Secondary
  • LDAPS://uls-ap-dcc73.corp.sandisk.com:636
• User ID:
  • <service account ID> (Distinguished Name format may be required)
• Password:
  • <your service account password>
• Connection protocol:
  • SSL/TLS

Search scope for Users and Groups:
  OU=UsersAndGroups,OU=Accounts,DC=corp,DC=sandisk,DC=com

Search scope for Users only:
  OU=StdUsers,OU=UsersAndGroups,OU=Accounts,DC=corp,DC=sandisk,DC=com

Search scope for Groups only:
  OU=Groups,OU=UsersAndGroups,OU=Accounts,DC=corp,DC=sandisk,DC=com

keywords