Remove LDAP authentication (#15546)

Remove LDAP authentication from AWX
2026-01-31 17:18:59 -03:30 · 2024-10-02 15:40:16 +02:00
parent 6dea7bfe17
commit f22b192fb4
67 changed files with 172 additions and 2813 deletions
--- a/tools/docker-compose/ansible/plumb_ldap.yml
+++ b/tools/docker-compose/ansible/plumb_ldap.yml
@@ -1,32 +0,0 @@
---
- name: Plumb an ldap instance
-  hosts: localhost
-  connection: local
-  gather_facts: False
-  vars:
-    awx_host: "https://localhost:8043"
-  tasks:
-    - name: Load existing and new LDAP settings
-      ansible.builtin.set_fact:
-        existing_ldap: "{{ lookup('awx.awx.controller_api', 'settings/ldap', host=awx_host, verify_ssl=false) }}"
-        new_ldap: "{{ lookup('template', 'ldap_settings.json.j2') }}"
-
-    - name: Display existing LDAP configuration
-      ansible.builtin.debug:
-        msg:
-          - "Here is your existing LDAP configuration for reference:"
-          - "{{ existing_ldap }}"
-
-    - ansible.builtin.pause:
-        prompt: "Continuing to run this will replace your existing ldap settings (displayed above). They will all be captured. Be sure that is backed up before continuing"
-
-    - name: Write out the existing content
-      ansible.builtin.copy:
-        dest: "../_sources/existing_ldap_adapter_settings.json"
-        content: "{{ existing_ldap }}"
-
-    - name: Configure AWX LDAP adapter
-      awx.awx.settings:
-        settings: "{{ new_ldap }}"
-        controller_host: "{{ awx_host }}"
-        validate_certs: False
--- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@@ -23,15 +23,6 @@ work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem"
 # SSO variables
 enable_keycloak: false

-enable_ldap: false
-ldap_public_key_file_name: 'ldap.cert'
-ldap_private_key_file_name: 'ldap.key'
-ldap_cert_dir: '{{ sources_dest }}/ldap_certs'
-ldap_diff_dir: '{{ sources_dest }}/ldap_diffs'
-ldap_public_key_file: '{{ ldap_cert_dir }}/{{ ldap_public_key_file_name }}'
-ldap_private_key_file: '{{ ldap_cert_dir }}/{{ ldap_private_key_file_name }}'
-ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
-
 # Hashicorp Vault
 enable_vault: false
 vault_tls: false
--- a/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml
+++ b/tools/docker-compose/ansible/roles/sources/tasks/ldap.yml
@@ -1,21 +0,0 @@
---
- name: Create LDAP cert directory
-  file:
-    path: "{{ item }}"
-    state: directory
-  loop:
-    - "{{ ldap_cert_dir }}"
-    - "{{ ldap_diff_dir }}"
-
- name: include vault vars
-  include_vars: "{{ hashivault_vars_file }}"
-
- name: General LDAP cert
-  command: 'openssl req -new -x509 -days 365 -nodes -out {{ ldap_public_key_file }} -keyout {{ ldap_private_key_file }} -subj "{{ ldap_cert_subject }}"'
-  args:
-    creates: "{{ ldap_public_key_file }}"
-
- name: Copy ldap.diff
-  ansible.builtin.template:
-    src: "ldap.ldif.j2"
-    dest: "{{ ldap_diff_dir }}/ldap.ldif"
--- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml
@@ -97,10 +97,6 @@
    creates: "{{ work_sign_public_keyfile }}"
  when: sign_work | bool

- name: Include LDAP tasks if enabled
-  include_tasks: ldap.yml
-  when: enable_ldap | bool
-
 - name: Include vault TLS tasks if enabled
  include_tasks: vault_tls.yml
  when: enable_vault | bool
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@@ -146,31 +146,6 @@ services:
    depends_on:
      - postgres
 {% endif %}
-{% if enable_ldap|bool %}
-  ldap:
-    image: bitnami/openldap:2
-    container_name: tools_ldap_1
-    hostname: ldap
-    user: "{{ ansible_user_uid }}"
-    networks:
-      - awx
-    ports:
-      - "389:1389"
-      - "636:1636"
-    environment:
-      LDAP_ADMIN_USERNAME: admin
-      LDAP_ADMIN_PASSWORD: admin
-      LDAP_CUSTOM_LDIF_DIR: /opt/bitnami/openldap/ldiffs
-      LDAP_ENABLE_TLS: "yes"
-      LDAP_LDAPS_PORT_NUMBER: 1636
-      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }}
-      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }}
-      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/{{ ldap_private_key_file_name }}
-    volumes:
-      - 'openldap_data:/bitnami/openldap'
-      - '../../docker-compose/_sources/ldap_certs:/opt/bitnami/openldap/certs'
-      - '../../docker-compose/_sources/ldap_diffs:/opt/bitnami/openldap/ldiffs'
-{% endif %}
 {% if enable_splunk|bool %}
  splunk:
    image: splunk/splunk:latest
@@ -376,11 +351,6 @@ volumes:
  redis_socket_{{ container_postfix }}:
    name: tools_redis_socket_{{ container_postfix }}
 {% endfor -%}
-{% if enable_ldap|bool %}
-  openldap_data:
-    name: tools_ldap_1
-    driver: local
-{% endif %}
 {% if enable_vault|bool %}
  hashicorp_vault_data:
    name: tools_vault_1
--- a/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2
@@ -1,99 +0,0 @@
-dn: dc=example,dc=org
-objectClass: dcObject
-objectClass: organization
-dc: example
-o: example
-
-dn: ou=users,dc=example,dc=org
-ou: users
-objectClass: organizationalUnit
-
-dn: cn=awx_ldap_admin,ou=users,dc=example,dc=org
-mail: admin@example.org
-sn: LdapAdmin
-cn: awx_ldap_admin
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-userPassword: admin123
-givenName: awx
-
-dn: cn=awx_ldap_auditor,ou=users,dc=example,dc=org
-mail: auditor@example.org
-sn: LdapAuditor
-cn: awx_ldap_auditor
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-userPassword: audit123
-givenName: awx
-
-dn: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org
-mail: unpriv@example.org
-sn: LdapUnpriv
-cn: awx_ldap_unpriv
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-givenName: awx
-userPassword: unpriv123
-
-dn: ou=groups,dc=example,dc=org
-ou: groups
-objectClass: top
-objectClass: organizationalUnit
-
-dn: cn=awx_users,ou=groups,dc=example,dc=org
-cn: awx_users
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_admin,ou=users,dc=example,dc=org
-member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org
-member: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org
-member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org
-
-dn: cn=awx_admins,ou=groups,dc=example,dc=org
-cn: awx_admins
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_admin,ou=users,dc=example,dc=org
-
-dn: cn=awx_auditors,ou=groups,dc=example,dc=org
-cn: awx_auditors
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org
-
-dn: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org
-mail: org.admin@example.org
-sn: LdapOrgAdmin
-cn: awx_ldap_org_admin
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-givenName: awx
-userPassword: orgadmin123
-
-dn: cn=awx_org_admins,ou=groups,dc=example,dc=org
-cn: awx_org_admins
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org
-
-{% if enable_ldap|bool and enable_vault|bool %}
-dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org
-changetype: add
-mail: vault@example.org
-sn: LdapVaultAdmin
-cn: {{ vault_ldap_username }}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-userPassword: {{ vault_ldap_password }}
-givenName: awx
-{% endif %}
--- a/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2
@@ -42,10 +42,6 @@ OPTIONAL_API_URLPATTERN_PREFIX = '{{ api_urlpattern_prefix }}'
 # Enable the following line to turn on database settings logging.
 # LOGGING['loggers']['awx.conf']['level'] = 'DEBUG'

-# Enable the following lines to turn on LDAP auth logging.
-# LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
-# LOGGING['loggers']['django_auth_ldap']['level'] = 'DEBUG'
-
 {% if enable_otel|bool %}
 LOGGING['handlers']['otel'] |= {
    'class': 'awx.main.utils.handlers.OTLPHandler',
--- a/tools/docker-compose/ansible/roles/vault/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/vault/defaults/main.yml
@@ -5,8 +5,5 @@ vault_cert_dir: "{{ sources_dest }}/vault_certs"
 vault_server_cert: "{{ vault_cert_dir }}/server.crt"
 vault_client_cert: "{{ vault_cert_dir }}/client.crt"
 vault_client_key: "{{ vault_cert_dir }}/client.key"
-ldap_ldif: "{{ sources_dest }}/ldap.ldifs/ldap.ldif"
-vault_ldap_username: "awx_ldap_vault"
-vault_ldap_password: "vault123"
 vault_userpass_username: "awx_userpass_admin"
 vault_userpass_password: "userpass123"
--- a/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
+++ b/tools/docker-compose/ansible/roles/vault/tasks/initialize.yml
@@ -92,74 +92,6 @@
        validate_certs: false
        token: "{{ Initial_Root_Token }}"

-    - name: Configure the vault ldap auth
-      block:
-        - name: Create ldap auth mount
-          flowerysong.hvault.write:
-            path: "sys/auth/ldap"
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            data:
-              type: "ldap"
-          register: vault_auth_ldap
-          changed_when: vault_auth_ldap.result.errors | default([]) | length == 0
-          failed_when:
-            - vault_auth_ldap.result.errors | default([]) | length > 0
-            - "'path is already in use at ldap/' not in vault_auth_ldap.result.errors | default([])"
-
-        - name: Create ldap engine
-          flowerysong.hvault.engine:
-            path: "ldap_engine"
-            type: "kv"
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-
-        - name: Create a ldap secret
-          flowerysong.hvault.kv:
-            mount_point: "ldap_engine/ldaps_root"
-            key: "ldap_secret"
-            value:
-              my_key: "this_is_the_ldap_secret_value"
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-
-        - name: Configure ldap auth
-          flowerysong.hvault.ldap_config:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            url: "ldap://ldap:1389"
-            binddn: "cn=awx_ldap_vault,ou=users,dc=example,dc=org"
-            bindpass: "vault123"
-            userdn: "ou=users,dc=example,dc=org"
-            deny_null_bind: "false"
-            discoverdn: "true"
-
-        - name: Create ldap access policy
-          flowerysong.hvault.policy:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            name: "ldap_engine"
-            policy:
-              ldap_engine/*: [create, read, update, delete, list]
-              sys/mounts:/*: [create, read, update, delete, list]
-              sys/mounts: [read]
-
-        - name: Add awx_ldap_vault user to auth_method
-          flowerysong.hvault.ldap_user:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            state: present
-            name: "{{ vault_ldap_username }}"
-            policies:
-              - "ldap_engine"
-      when: enable_ldap | bool
-
    - name: Create userpass engine
      flowerysong.hvault.engine:
        path: "userpass_engine"
--- a/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
+++ b/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml
@@ -78,56 +78,6 @@
      secret_path: "/my_root/my_folder"
      secret_version: ""

- name: Create a HashiCorp Vault Credential for LDAP
-  awx.awx.credential:
-    credential_type: HashiCorp Vault Secret Lookup
-    name: Vault LDAP Lookup Cred
-    organization: Default
-    controller_host: "{{ awx_host }}"
-    controller_username: admin
-    controller_password: "{{ admin_password }}"
-    validate_certs: false
-    inputs:
-      api_version: "v1"
-      default_auth_path: "ldap"
-      kubernetes_role: ""
-      namespace: ""
-      url: "{{ vault_addr_from_container }}"
-      username: "{{ vault_ldap_username }}"
-      password: "{{ vault_ldap_password }}"
-  register: vault_ldap_cred
-  when: enable_ldap | bool
-
- name: Create a credential from the Vault LDAP Custom Cred Type
-  awx.awx.credential:
-    credential_type: "{{ custom_vault_cred_type.id }}"
-    controller_host: "{{ awx_host }}"
-    controller_username: admin
-    controller_password: "{{ admin_password }}"
-    validate_certs: false
-    name: Credential From HashiCorp Vault via LDAP Auth
-    inputs: {}
-    organization: Default
-  register: custom_credential_via_ldap
-  when: enable_ldap | bool
-
- name: Use the Vault LDAP Credential  the new credential
-  awx.awx.credential_input_source:
-    input_field_name: password
-    target_credential: "{{ custom_credential_via_ldap.id }}"
-    source_credential: "{{ vault_ldap_cred.id }}"
-    controller_host: "{{ awx_host }}"
-    controller_username: admin
-    controller_password: "{{ admin_password }}"
-    validate_certs: false
-    metadata:
-      auth_path: ""
-      secret_backend: "ldap_engine"
-      secret_key: "my_key"
-      secret_path: "ldaps_root/ldap_secret"
-      secret_version: ""
-  when: enable_ldap | bool
-
 - name: Create a HashiCorp Vault Credential for UserPass
  awx.awx.credential:
    credential_type: HashiCorp Vault Secret Lookup
--- a/tools/docker-compose/ansible/templates/ldap_settings.json.j2
+++ b/tools/docker-compose/ansible/templates/ldap_settings.json.j2
@@ -1,52 +0,0 @@
-{
-    "AUTH_LDAP_1_SERVER_URI": "ldap://ldap:1389",
-    "AUTH_LDAP_1_BIND_DN": "cn=admin,dc=example,dc=org",
-    "AUTH_LDAP_1_BIND_PASSWORD": "admin",
-    "AUTH_LDAP_1_START_TLS": false,
-    "AUTH_LDAP_1_CONNECTION_OPTIONS": {
-        "OPT_REFERRALS": 0,
-        "OPT_NETWORK_TIMEOUT": 30
-    },
-    "AUTH_LDAP_1_USER_SEARCH": [
-        "ou=users,dc=example,dc=org",
-        "SCOPE_SUBTREE",
-        "(cn=%(user)s)"
-    ],
-    "AUTH_LDAP_1_USER_DN_TEMPLATE": "cn=%(user)s,ou=users,dc=example,dc=org",
-    "AUTH_LDAP_1_USER_ATTR_MAP": {
-        "first_name": "givenName",
-        "last_name": "sn",
-        "email": "mail"
-    },
-    "AUTH_LDAP_1_GROUP_SEARCH": [
-        "ou=groups,dc=example,dc=org",
-        "SCOPE_SUBTREE",
-        "(objectClass=groupOfNames)"
-    ],
-    "AUTH_LDAP_1_GROUP_TYPE": "MemberDNGroupType",
-    "AUTH_LDAP_1_GROUP_TYPE_PARAMS": {
-        "member_attr": "member",
-        "name_attr": "cn"
-    },
-    "AUTH_LDAP_1_REQUIRE_GROUP": "cn=awx_users,ou=groups,dc=example,dc=org",
-    "AUTH_LDAP_1_DENY_GROUP": null,
-    "AUTH_LDAP_1_USER_FLAGS_BY_GROUP": {
-        "is_superuser": [
-            "cn=awx_admins,ou=groups,dc=example,dc=org"
-        ],
-        "is_system_auditor": [
-            "cn=awx_auditors,ou=groups,dc=example,dc=org"
-        ]
-    },
-    "AUTH_LDAP_1_ORGANIZATION_MAP": {
-        "LDAP Organization": {
-            "users": true,
-            "remove_admins": false,
-            "remove_users": true,
-            "admins": [
-                "cn=awx_org_admins,ou=groups,dc=example,dc=org"
-            ]
-        }
-    },
-    "AUTH_LDAP_1_TEAM_MAP": {}
-}