diff --git a/Makefile b/Makefile index 968db81d57..bc4a6589f8 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,8 @@ COMPOSE_TAG ?= $(GIT_BRANCH) MAIN_NODE_TYPE ?= hybrid # If set to true docker-compose will also start a keycloak instance KEYCLOAK ?= false +# If set to true docker-compose will also start an ldap instance +LDAP ?= false VENV_BASE ?= /var/lib/awx/venv @@ -462,7 +464,8 @@ docker-compose-sources: .git/hooks/pre-commit -e control_plane_node_count=$(CONTROL_PLANE_NODE_COUNT) \ -e execution_node_count=$(EXECUTION_NODE_COUNT) \ -e minikube_container_group=$(MINIKUBE_CONTAINER_GROUP) \ - -e enable_keycloak=$(KEYCLOAK) + -e enable_keycloak=$(KEYCLOAK) \ + -e enable_ldap=$(LDAP) docker-compose: awx/projects docker-compose-sources diff --git a/tools/docker-compose/README.md b/tools/docker-compose/README.md index 885faf1b06..c58d11b3f7 100644 --- a/tools/docker-compose/README.md +++ b/tools/docker-compose/README.md @@ -244,6 +244,7 @@ $ make docker-compose - [Start a Cluster](#start-a-cluster) - [Start with Minikube](#start-with-minikube) - [Keycloak Integration](#keycloak-integration) +- [OpenLDAP Integration](#openldap-integration) ### Start a Shell @@ -390,3 +391,39 @@ Once the playbook is done running SAML should now be setup in your development e 3. awx_auditor:audit123 The first account is a normal user. The second account has the attribute is_superuser set in Keycloak so will be a super user in AWX. The third account has the is_system_auditor attribute in Keycloak so it will be a system auditor in AWX. To log in with one of these Keycloak users go to the AWX login screen and click the small "Sign In With SAML Keycloak" button at the bottom of the login box. + +### OpenLDAP Integration + +OpenLDAP is an LDAP provider that can be used to test AWX with LDAP integration. This section describes how to build a reference OpenLDAP instance and plumb it with your AWX for testing purposes. + +First, be sure that you have the awx.awx collection installed by running `make install_collection`. + +Anytime you want to run an OpenLDAP instance alongside AWX we can start docker-compose with the LDAP option to get an LDAP instance with the command: +```bash +LDAP=true make docker-compose +``` + +Once the containers come up two new ports (389, 636) should be exposed and the LDAP server should be running on those ports. The first port (389) is non-SSL and the second port (636) is SSL enabled. + +Now we are ready to configure and plumb OpenLDAP with AWX. To do this we have provided a playbook which will: +* Backup and configure the LDAP adapter in AWX. NOTE: this will back up your existing settings but the password fields can not be backuped through the API, you need a DB backup to recover this. + +Note: The default configuration will utilize the non-tls connection. If you want to use the tls configuration you will need to work through TLS negotiation issues because the LDAP server is using a self signed certificate. + +Before we can run the playbook we need to understand that LDAP will be communicated to from within the AWX container. Because of this, we have to tell AWX how to route traffic to the LDAP container through the `LDAP Server URI` settings. The playbook requires a variable called container_reference to be set. The container_reference variable needs to be how your AWX container will be able to talk to the LDAP container. See the SAML section for some examples for how to select a `container_reference`. + +Once you have your container reference you can run the playbook like: +```bash +export CONTROLLER_USERNAME= +export CONTROLLER_PASSWORD= +ansible-playbook tools/docker-compose/ansible/plumb_ldap.yml -e container_reference= +``` + + +Once the playbook is done running LDAP should now be setup in your development environment. This realm has four users with the following username/passwords: +1. awx_ldap_unpriv:unpriv123 +2. awx_ldap_admin:admin123 +3. awx_ldap_auditor:audit123 +4. awx_ldap_org_admin:orgadmin123 + +The first account is a normal user. The second account will be a super user in AWX. The third account will be a system auditor in AWX. The fourth account is an org admin. All users belong to an org called "LDAP Organization". To log in with one of these users go to the AWX login screen enter the username/password. diff --git a/tools/docker-compose/ansible/plumb_ldap.yml b/tools/docker-compose/ansible/plumb_ldap.yml new file mode 100644 index 0000000000..061f450804 --- /dev/null +++ b/tools/docker-compose/ansible/plumb_ldap.yml @@ -0,0 +1,32 @@ +--- +- name: Plumb an ldap instance + hosts: localhost + connection: local + gather_facts: False + vars: + awx_host: "https://localhost:8043" + tasks: + - name: Load existing and new LDAP settings + set_fact: + existing_ldap: "{{ lookup('awx.awx.controller_api', 'settings/ldap', host=awx_host, verify_ssl=false) }}" + new_ldap: "{{ lookup('template', 'ldap_settings.json.j2') }}" + + - name: Display existing LDAP configuration + debug: + msg: + - "Here is your existing LDAP configuration for reference:" + - "{{ existing_ldap }}" + + - pause: + prompt: "Continuing to run this will replace your existing ldap settings (displayed above). They will all be captured. Be sure that is backed up before continuing" + + - name: Write out the existing content + copy: + dest: "../_sources/existing_ldap_adapter_settings.json" + content: "{{ existing_ldap }}" + + - name: Configure AWX LDAP adapter + awx.awx.settings: + settings: "{{ new_ldap }}" + controller_host: "{{ awx_host }}" + validate_certs: False diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml index df035384c7..c0cdb12b7f 100644 --- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml @@ -18,3 +18,12 @@ work_sign_private_keyfile: "{{ work_sign_key_dir }}/work_private_key.pem" work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem" enable_keycloak: false + +enable_ldap: false +ldap_public_key_file_name: 'ldap.cert' +ldap_private_key_file_name: 'ldap.key' +ldap_cert_dir: '{{ sources_dest }}/ldap_certs' +ldap_diff_dir: '{{ sources_dest }}/ldap_diffs' +ldap_public_key_file: '{{ ldap_cert_dir }}/{{ ldap_public_key_file_name }}' +ldap_private_key_file: '{{ ldap_cert_dir }}/{{ ldap_private_key_file_name }}' +ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN=" diff --git a/tools/docker-compose/ansible/roles/sources/files/ldap.ldif b/tools/docker-compose/ansible/roles/sources/files/ldap.ldif new file mode 100644 index 0000000000..4812fff01e --- /dev/null +++ b/tools/docker-compose/ansible/roles/sources/files/ldap.ldif @@ -0,0 +1,86 @@ +dn: dc=example,dc=org +objectClass: dcObject +objectClass: organization +dc: example +o: example + +dn: ou=users,dc=example,dc=org +ou: users +objectClass: organizationalUnit + +dn: cn=awx_ldap_admin,ou=users,dc=example,dc=org +mail: admin@example.org +sn: LdapAdmin +cn: awx_ldap_admin +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +userPassword: admin123 +givenName: awx + +dn: cn=awx_ldap_auditor,ou=users,dc=example,dc=org +mail: auditor@example.org +sn: LdapAuditor +cn: awx_ldap_auditor +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +userPassword: audit123 +givenName: awx + +dn: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org +mail: unpriv@example.org +sn: LdapUnpriv +cn: awx_ldap_unpriv +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +givenName: awx +userPassword: unpriv123 + +dn: ou=groups,dc=example,dc=org +ou: groups +objectClass: top +objectClass: organizationalUnit + +dn: cn=awx_users,ou=groups,dc=example,dc=org +cn: awx_users +objectClass: top +objectClass: groupOfNames +member: cn=awx_ldap_admin,ou=users,dc=example,dc=org +member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org +member: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org +member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org + +dn: cn=awx_admins,ou=groups,dc=example,dc=org +cn: awx_admins +objectClass: top +objectClass: groupOfNames +member: cn=awx_ldap_admin,ou=users,dc=example,dc=org + +dn: cn=awx_auditors,ou=groups,dc=example,dc=org +cn: awx_auditors +objectClass: top +objectClass: groupOfNames +member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org + +dn: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org +mail: org.admin@example.org +sn: LdapOrgAdmin +cn: awx_ldap_org_admin +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +givenName: awx +userPassword: orgadmin123 + +dn: cn=awx_org_admins,ou=groups,dc=example,dc=org +cn: awx_org_admins +objectClass: top +objectClass: groupOfNames +member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org + diff --git a/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml b/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml new file mode 100644 index 0000000000..ea46ec3afa --- /dev/null +++ b/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml @@ -0,0 +1,18 @@ +--- +- name: Create LDAP cert directory + file: + path: "{{ item }}" + state: directory + loop: + - "{{ ldap_cert_dir }}" + - "{{ ldap_diff_dir }}" + +- name: General LDAP cert + command: 'openssl req -new -x509 -days 365 -nodes -out {{ ldap_public_key_file }} -keyout {{ ldap_private_key_file }} -subj "{{ ldap_cert_subject }}"' + args: + creates: "{{ ldap_public_key_file }}" + +- name: Copy ldap.diff + copy: + src: "ldap.ldif" + dest: "{{ ldap_diff_dir }}/ldap.ldif" diff --git a/tools/docker-compose/ansible/roles/sources/tasks/main.yml b/tools/docker-compose/ansible/roles/sources/tasks/main.yml index c7771d6b74..05b5b9facf 100644 --- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml +++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml @@ -91,6 +91,10 @@ args: creates: "{{ work_sign_public_keyfile }}" +- name: Include LDAP tasks if enabled + include_tasks: ldap.yml + when: enable_ldap | bool + - name: Render Docker-Compose template: src: docker-compose.yml.j2 diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 index eaf2c20efe..0406b291cc 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 @@ -99,6 +99,29 @@ services: DB_PASSWORD: {{ pg_password }} depends_on: - postgres +{% endif %} +{% if enable_ldap|bool %} + ldap: + image: bitnami/openldap:2 + container_name: tools_ldap_1 + hostname: ldap + user: "{{ ansible_user_uid }}" + ports: + - "389:1389" + - "636:1636" + environment: + LDAP_ADMIN_USERNAME: admin + LDAP_ADMIN_PASSWORD: admin + LDAP_CUSTOM_LDIF_DIR: /opt/bitnami/openldap/ldiffs + LDAP_ENABLE_TLS: "yes" + LDAP_LDAPS_PORT_NUMBER: 1636 + LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }} + LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }} + LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/{{ ldap_private_key_file_name }} + volumes: + - 'openldap_data:/bitnami/openldap' + - '../../docker-compose/_sources/ldap_certs:/opt/bitnami/openldap/certs' + - '../../docker-compose/_sources/ldap_diffs:/opt/bitnami/openldap/ldiffs' {% endif %} # A useful container that simply passes through log messages to the console # helpful for testing awx/tower logging @@ -157,6 +180,11 @@ volumes: redis_socket_{{ container_postfix }}: name: tools_redis_socket_{{ container_postfix }} {% endfor -%} +{% if enable_ldap %} + openldap_data: + name: tools_ldap_1 + driver: local +{% endif %} {% if minikube_container_group|bool %} networks: default: diff --git a/tools/docker-compose/ansible/templates/ldap_settings.json.j2 b/tools/docker-compose/ansible/templates/ldap_settings.json.j2 new file mode 100644 index 0000000000..8dc07b2c88 --- /dev/null +++ b/tools/docker-compose/ansible/templates/ldap_settings.json.j2 @@ -0,0 +1,52 @@ +{ + "AUTH_LDAP_1_SERVER_URI": "ldap://{{ container_reference }}:389", + "AUTH_LDAP_1_BIND_DN": "cn=admin,dc=example,dc=org", + "AUTH_LDAP_1_BIND_PASSWORD": "admin", + "AUTH_LDAP_1_START_TLS": false, + "AUTH_LDAP_1_CONNECTION_OPTIONS": { + "OPT_REFERRALS": 0, + "OPT_NETWORK_TIMEOUT": 30 + }, + "AUTH_LDAP_1_USER_SEARCH": [ + "ou=users,dc=example,dc=org", + "SCOPE_SUBTREE", + "(cn=%(user)s)" + ], + "AUTH_LDAP_1_USER_DN_TEMPLATE": "cn=%(user)s,ou=users,dc=example,dc=org", + "AUTH_LDAP_1_USER_ATTR_MAP": { + "first_name": "givenName", + "last_name": "sn", + "email": "mail" + }, + "AUTH_LDAP_1_GROUP_SEARCH": [ + "ou=groups,dc=example,dc=org", + "SCOPE_SUBTREE", + "(objectClass=groupOfNames)" + ], + "AUTH_LDAP_1_GROUP_TYPE": "MemberDNGroupType", + "AUTH_LDAP_1_GROUP_TYPE_PARAMS": { + "member_attr": "member", + "name_attr": "cn" + }, + "AUTH_LDAP_1_REQUIRE_GROUP": "cn=awx_users,ou=groups,dc=example,dc=org", + "AUTH_LDAP_1_DENY_GROUP": null, + "AUTH_LDAP_1_USER_FLAGS_BY_GROUP": { + "is_superuser": [ + "cn=awx_admins,ou=groups,dc=example,dc=org" + ], + "is_system_auditor": [ + "cn=awx_auditors,ou=groups,dc=example,dc=org" + ] + }, + "AUTH_LDAP_1_ORGANIZATION_MAP": { + "LDAP Organization": { + "users": true, + "remove_admins": false, + "remove_users": true, + "admins": [ + "cn=awx_org_admins,ou=groups,dc=example,dc=org" + ] + } + }, + "AUTH_LDAP_1_TEAM_MAP": {} +}