Ansible Tower LDAP with self signed CA

 October 6, 2017

One of the big advantages that Ansible Tower and AWX (the open source and upstream version of Ansible Tower) bring to the table is the Role Base Access Control (RBAC). This will allow you to select which users (or teams) will be able to see which objects in Ansible Tower as well as which jobs they will be able to run.

Obviously to leverage the RBAC, you will have to have personal accounts for every user of your platform. Now, this can be very complex to do when you have hundreds of users, if you consider than you should then manage those users. Also, you probably already have those information in your company LDAP or Active Directory.

Ansible Tower is able to query an LDAP server, so that you don’t have to keep two replicated dataset.

LDAP is a clear text format, which is not something you want to have in your network. LDAPS is LDAP with TLS (in the same way that HTTPS is HTTP with TLS) and can help to ensure confidentiality of your LDAP information.

To be able to use LDAPS, you will need an X509 certificate (as you need for HTTPS). Those certificates need to be signed by a Certificate Authority. You can use a public CA or your own CA.

By default, Ansible Tower will try to validate the LDAPS TLS certificate using the default Certificate Authority list, where only public CAs are present. This means that if you signed your LDAPS certificate with your own CA, this will not work. Although this is a sane behaviour - at least in my opinion - this might be different from what you may want to do. This is also a fairly common way of handling CAs. The problem is that Ansible Tower will not look for the system trusted CA, but will use it’s own ones, so you can not add your CA to the system to make it work.

To make it work, the first thing to do is creating a file which contains the public part of the CA. In our example, this file has been created in /etc/pki/ca.crt.

At this time (Ansible Tower 3.2, AWX 1.0.0), there is no option in Ansible Tower User Interface to change the CA, but it’s possible using an API request. It will be necessary to update the AUTH_LDAP_CONNECTION_OP object that lives in the https://<tower-fqdn>/api/v1/settings/ldap endpoint. By default, the AUTH_LDAP_CONNECTION_OP object looks like:

    "AUTH_LDAP_CONNECTION_OPTIONS": {
        "OPT_NETWORK_TIMEOUT": 30,
        "OPT_REFERRALS": 0
    },

To update it, we will need to perform a PATCH request, by adding the following attributes:

    "OPT_X_TLS_CACERTFILE": "/etc/pki/ca.crt"
    "OPT_X_TLS_NEWCTX": 0,

If then you query the https://<tower-fqdn>/api/v1/settings/ldap with a GET request, you should be able to see that the AUTH_LDAP_CONNECTION_OPTIONS will look something like:

    "AUTH_LDAP_CONNECTION_OPTIONS": {
        "OPT_X_TLS_CACERTFILE": "/etc/pki/ca.crt"
        "OPT_NETWORK_TIMEOUT": 30,
        "OPT_X_TLS_NEWCTX": 0,
        "OPT_REFERRALS": 0
    },

As you can notice, we added two attributes. The first one is OPT_X_TLS_CACERTFILE and is used to specify the public CA location. The second one is OPT_X_TLS_NEWCTX and it’s required due to how python-ldap (the library that Ansible Tower and AWX use) works. If you forget to add the OPT_X_TLS_NEWCTX property, the TLS connection will not use the CA file you specified and will fail.

You will now be able to use a certificate for LDAPS that has been signed with the CA whose public part is in the /etc/pki/ca.crt file.

 Ansible

 Ansible Tower, Infrastructure as Code

Say something

Comments

Christoph Miessler on 2017-11-02 14:47:38 UTC said:

I had some trouble submitting the patch request. In the end I just added these lines to /etc/tower/settings.py:

AUTH_LDAP_CONNECTION_OPTIONS = {
   ldap.OPT_REFERRALS: 0
   ldap.OPT_X_TLS_CACERTFILE: '/etc/ssl/certs/your.crt',
   ldap.OPT_NETWORK_TIMEOUT: 30,
   ldap.OPT_X_TLS_NEWCTX: 0
}

Fabio Alessandro Locati on 2017-11-02 17:06:03 UTC said:

That’s a solution as well for now. Remember that changing such options in the configuration is now deprecated and could be broken in a future version of Asnible Tower.

Also, if you are running a multi-node cluster, you’ll need to change the /etc/tower/settings.py on every host and keep them synchronized.

What error did you had while doing the PATCH request?

Prakash Sharma on 2018-07-26 08:22:38 UTC said:

Hello,

Thanks for this article. I have followed this in my AWX environment, But it gives me below error….

2018-07-26 08:19:33,910 DEBUG    django_auth_ldap Initiating TLS
2018-07-26 08:19:33,919 WARNING  django_auth_ldap Caught LDAPError while authenticating psharma: CONNECT_ERROR({'info': 'TLS: hostname does not match CN in peer certificate', 'desc': 'Connect error'},)

Do you have any suggestion for this?

Regards,

Prakash.

Fabio Alessandro Locati on 2018-07-26 11:04:27 UTC said:

The error that you are seeing is due to the fact that the address that you are calling of the LDAP server is not matching the one listed in the TLS certificate provided by the server.

I would suggest to double check which one of the two is the correct one, and then fix the configuration or re-issue the TLS certificate for the proper domain.