Remove LDAP authentication (#15546)

Remove LDAP authentication from AWX

tools/docker-compose/ansible/roles/sources/defaults/main.yml

@@ -23,15 +23,6 @@ work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem"
 # SSO variables
 enable_keycloak: false
 
-enable_ldap: false
-ldap_public_key_file_name: 'ldap.cert'
-ldap_private_key_file_name: 'ldap.key'
-ldap_cert_dir: '{{ sources_dest }}/ldap_certs'
-ldap_diff_dir: '{{ sources_dest }}/ldap_diffs'
-ldap_public_key_file: '{{ ldap_cert_dir }}/{{ ldap_public_key_file_name }}'
-ldap_private_key_file: '{{ ldap_cert_dir }}/{{ ldap_private_key_file_name }}'
-ldap_cert_subject: "/C=US/ST=NC/L=Durham/O=awx/CN="
-
 # Hashicorp Vault
 enable_vault: false
 vault_tls: false

tools/docker-compose/ansible/roles/sources/tasks/ldap.yml

@@ -1,21 +0,0 @@
----
-- name: Create LDAP cert directory
-  file:
-    path: "{{ item }}"
-    state: directory
-  loop:
-    - "{{ ldap_cert_dir }}"
-    - "{{ ldap_diff_dir }}"
-
-- name: include vault vars
-  include_vars: "{{ hashivault_vars_file }}"
-
-- name: General LDAP cert
-  command: 'openssl req -new -x509 -days 365 -nodes -out {{ ldap_public_key_file }} -keyout {{ ldap_private_key_file }} -subj "{{ ldap_cert_subject }}"'
-  args:
-    creates: "{{ ldap_public_key_file }}"
-
-- name: Copy ldap.diff
-  ansible.builtin.template:
-    src: "ldap.ldif.j2"
-    dest: "{{ ldap_diff_dir }}/ldap.ldif"

tools/docker-compose/ansible/roles/sources/tasks/main.yml

@@ -97,10 +97,6 @@
     creates: "{{ work_sign_public_keyfile }}"
   when: sign_work | bool
 
-- name: Include LDAP tasks if enabled
-  include_tasks: ldap.yml
-  when: enable_ldap | bool
-
 - name: Include vault TLS tasks if enabled
   include_tasks: vault_tls.yml
   when: enable_vault | bool

tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2

@@ -146,31 +146,6 @@ services:
     depends_on:
       - postgres
 {% endif %}
-{% if enable_ldap|bool %}
-  ldap:
-    image: bitnami/openldap:2
-    container_name: tools_ldap_1
-    hostname: ldap
-    user: "{{ ansible_user_uid }}"
-    networks:
-      - awx
-    ports:
-      - "389:1389"
-      - "636:1636"
-    environment:
-      LDAP_ADMIN_USERNAME: admin
-      LDAP_ADMIN_PASSWORD: admin
-      LDAP_CUSTOM_LDIF_DIR: /opt/bitnami/openldap/ldiffs
-      LDAP_ENABLE_TLS: "yes"
-      LDAP_LDAPS_PORT_NUMBER: 1636
-      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }}
-      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/certs/{{ ldap_public_key_file_name }}
-      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/certs/{{ ldap_private_key_file_name }}
-    volumes:
-      - 'openldap_data:/bitnami/openldap'
-      - '../../docker-compose/_sources/ldap_certs:/opt/bitnami/openldap/certs'
-      - '../../docker-compose/_sources/ldap_diffs:/opt/bitnami/openldap/ldiffs'
-{% endif %}
 {% if enable_splunk|bool %}
   splunk:
     image: splunk/splunk:latest
@@ -376,11 +351,6 @@ volumes:
   redis_socket_{{ container_postfix }}:
     name: tools_redis_socket_{{ container_postfix }}
 {% endfor -%}
-{% if enable_ldap|bool %}
-  openldap_data:
-    name: tools_ldap_1
-    driver: local
-{% endif %}
 {% if enable_vault|bool %}
   hashicorp_vault_data:
     name: tools_vault_1

tools/docker-compose/ansible/roles/sources/templates/ldap.ldif.j2

@@ -1,99 +0,0 @@
-dn: dc=example,dc=org
-objectClass: dcObject
-objectClass: organization
-dc: example
-o: example
-
-dn: ou=users,dc=example,dc=org
-ou: users
-objectClass: organizationalUnit
-
-dn: cn=awx_ldap_admin,ou=users,dc=example,dc=org
-mail: admin@example.org
-sn: LdapAdmin
-cn: awx_ldap_admin
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-userPassword: admin123
-givenName: awx
-
-dn: cn=awx_ldap_auditor,ou=users,dc=example,dc=org
-mail: auditor@example.org
-sn: LdapAuditor
-cn: awx_ldap_auditor
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-userPassword: audit123
-givenName: awx
-
-dn: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org
-mail: unpriv@example.org
-sn: LdapUnpriv
-cn: awx_ldap_unpriv
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-givenName: awx
-userPassword: unpriv123
-
-dn: ou=groups,dc=example,dc=org
-ou: groups
-objectClass: top
-objectClass: organizationalUnit
-
-dn: cn=awx_users,ou=groups,dc=example,dc=org
-cn: awx_users
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_admin,ou=users,dc=example,dc=org
-member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org
-member: cn=awx_ldap_unpriv,ou=users,dc=example,dc=org
-member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org
-
-dn: cn=awx_admins,ou=groups,dc=example,dc=org
-cn: awx_admins
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_admin,ou=users,dc=example,dc=org
-
-dn: cn=awx_auditors,ou=groups,dc=example,dc=org
-cn: awx_auditors
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_auditor,ou=users,dc=example,dc=org
-
-dn: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org
-mail: org.admin@example.org
-sn: LdapOrgAdmin
-cn: awx_ldap_org_admin
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-givenName: awx
-userPassword: orgadmin123
-
-dn: cn=awx_org_admins,ou=groups,dc=example,dc=org
-cn: awx_org_admins
-objectClass: top
-objectClass: groupOfNames
-member: cn=awx_ldap_org_admin,ou=users,dc=example,dc=org
-
-{% if enable_ldap|bool and enable_vault|bool %}
-dn: cn={{ vault_ldap_username }},ou=users,dc=example,dc=org
-changetype: add
-mail: vault@example.org
-sn: LdapVaultAdmin
-cn: {{ vault_ldap_username }}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: inetOrgPerson
-userPassword: {{ vault_ldap_password }}
-givenName: awx
-{% endif %}

tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2

@@ -42,10 +42,6 @@ OPTIONAL_API_URLPATTERN_PREFIX = '{{ api_urlpattern_prefix }}'
 # Enable the following line to turn on database settings logging.
 # LOGGING['loggers']['awx.conf']['level'] = 'DEBUG'
 
-# Enable the following lines to turn on LDAP auth logging.
-# LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
-# LOGGING['loggers']['django_auth_ldap']['level'] = 'DEBUG'
-
 {% if enable_otel|bool %}
 LOGGING['handlers']['otel'] |= {
     'class': 'awx.main.utils.handlers.OTLPHandler',

tools/docker-compose/ansible/roles/vault/defaults/main.yml

@@ -5,8 +5,5 @@ vault_cert_dir: "{{ sources_dest }}/vault_certs"
 vault_server_cert: "{{ vault_cert_dir }}/server.crt"
 vault_client_cert: "{{ vault_cert_dir }}/client.crt"
 vault_client_key: "{{ vault_cert_dir }}/client.key"
-ldap_ldif: "{{ sources_dest }}/ldap.ldifs/ldap.ldif"
-vault_ldap_username: "awx_ldap_vault"
-vault_ldap_password: "vault123"
 vault_userpass_username: "awx_userpass_admin"
 vault_userpass_password: "userpass123"

tools/docker-compose/ansible/roles/vault/tasks/initialize.yml

@@ -92,74 +92,6 @@
         validate_certs: false
         token: "{{ Initial_Root_Token }}"
 
-    - name: Configure the vault ldap auth
-      block:
-        - name: Create ldap auth mount
-          flowerysong.hvault.write:
-            path: "sys/auth/ldap"
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            data:
-              type: "ldap"
-          register: vault_auth_ldap
-          changed_when: vault_auth_ldap.result.errors | default([]) | length == 0
-          failed_when:
-            - vault_auth_ldap.result.errors | default([]) | length > 0
-            - "'path is already in use at ldap/' not in vault_auth_ldap.result.errors | default([])"
-
-        - name: Create ldap engine
-          flowerysong.hvault.engine:
-            path: "ldap_engine"
-            type: "kv"
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-
-        - name: Create a ldap secret
-          flowerysong.hvault.kv:
-            mount_point: "ldap_engine/ldaps_root"
-            key: "ldap_secret"
-            value:
-              my_key: "this_is_the_ldap_secret_value"
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-
-        - name: Configure ldap auth
-          flowerysong.hvault.ldap_config:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            url: "ldap://ldap:1389"
-            binddn: "cn=awx_ldap_vault,ou=users,dc=example,dc=org"
-            bindpass: "vault123"
-            userdn: "ou=users,dc=example,dc=org"
-            deny_null_bind: "false"
-            discoverdn: "true"
-
-        - name: Create ldap access policy
-          flowerysong.hvault.policy:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            name: "ldap_engine"
-            policy:
-              ldap_engine/*: [create, read, update, delete, list]
-              sys/mounts:/*: [create, read, update, delete, list]
-              sys/mounts: [read]
-
-        - name: Add awx_ldap_vault user to auth_method
-          flowerysong.hvault.ldap_user:
-            vault_addr: "{{ vault_addr_from_host }}"
-            validate_certs: false
-            token: "{{ Initial_Root_Token }}"
-            state: present
-            name: "{{ vault_ldap_username }}"
-            policies:
-              - "ldap_engine"
-      when: enable_ldap | bool
-
     - name: Create userpass engine
       flowerysong.hvault.engine:
         path: "userpass_engine"

tools/docker-compose/ansible/roles/vault/tasks/plumb.yml

@@ -78,56 +78,6 @@
       secret_path: "/my_root/my_folder"
       secret_version: ""
 
-- name: Create a HashiCorp Vault Credential for LDAP
-  awx.awx.credential:
-    credential_type: HashiCorp Vault Secret Lookup
-    name: Vault LDAP Lookup Cred
-    organization: Default
-    controller_host: "{{ awx_host }}"
-    controller_username: admin
-    controller_password: "{{ admin_password }}"
-    validate_certs: false
-    inputs:
-      api_version: "v1"
-      default_auth_path: "ldap"
-      kubernetes_role: ""
-      namespace: ""
-      url: "{{ vault_addr_from_container }}"
-      username: "{{ vault_ldap_username }}"
-      password: "{{ vault_ldap_password }}"
-  register: vault_ldap_cred
-  when: enable_ldap | bool
-
-- name: Create a credential from the Vault LDAP Custom Cred Type
-  awx.awx.credential:
-    credential_type: "{{ custom_vault_cred_type.id }}"
-    controller_host: "{{ awx_host }}"
-    controller_username: admin
-    controller_password: "{{ admin_password }}"
-    validate_certs: false
-    name: Credential From HashiCorp Vault via LDAP Auth
-    inputs: {}
-    organization: Default
-  register: custom_credential_via_ldap
-  when: enable_ldap | bool
-
-- name: Use the Vault LDAP Credential  the new credential
-  awx.awx.credential_input_source:
-    input_field_name: password
-    target_credential: "{{ custom_credential_via_ldap.id }}"
-    source_credential: "{{ vault_ldap_cred.id }}"
-    controller_host: "{{ awx_host }}"
-    controller_username: admin
-    controller_password: "{{ admin_password }}"
-    validate_certs: false
-    metadata:
-      auth_path: ""
-      secret_backend: "ldap_engine"
-      secret_key: "my_key"
-      secret_path: "ldaps_root/ldap_secret"
-      secret_version: ""
-  when: enable_ldap | bool
-
 - name: Create a HashiCorp Vault Credential for UserPass
   awx.awx.credential:
     credential_type: HashiCorp Vault Secret Lookup