So if you’ve bought Ansible tower, it’s probably because you needed the enterprise features such as an API, or RBAC support that you only get with Ansible Tower.
So I’ve been building a small lab for some of the people in my team. A key component of this lab is Ansible Tower. I knew Tower would fully support LDAP as an authentication source, however, when I checked out the docs, most of the examples are for Microsoft Active Directory. Although in many businesses this would be great, I work for a Linux company, and my default is Red Hat IDM (FreeIPA to everyone else).
I’m no expert when it comes to LDAP, I’ve had a little bit of experience, but, if I’m being honest I’ve avoided it in general.
I’ve written this because it took a while to get working perfectly, so it made sense to document it for me, maybe someone else might find it useful.
My use case was to create a user group in IDM and allow members of that group to be able to log into Ansible tower. I’m not particularly worried about automatically assigning organisations, I just want to make sure people can log in, I’ll assign permissions as and when I choose. This is about Authentication, not Authorization.
domain name - nixgeek.co.uk IDM administrator credentials - admin/letmein123 idm host - idmng.nixgeek.co.uk
Step 1 – Create a user in IDM
If you haven’t already done so, make sure you are authenticated as an administrator user.
[root@idmng ~]# kinit admin Password for admin@NIXGEEK.CO.UK:
Then create a new IDM user.
[root@idmng ~]# ipa user-add tower_admin First name: Tower Last name: Administrator ------------------------ Added user "tower_admin" ------------------------ User login: tower_admin First name: Tower Last name: Administrator Full name: Tower Administrator Display name: Tower Administrator Initials: TA Home directory: /home/tower_admin GECOS: Tower Administrator Login shell: /bin/sh Principal name: tower_admin@NIXGEEK.CO.UK Principal alias: tower_admin@NIXGEEK.CO.UK Email address: firstname.lastname@example.org UID: 477200012 GID: 477200012 Password: False Member of groups: ipausers Kerberos keys available: False
Step 2 – Create a user group in IDM
[root@idmng ~]# ipa group-add tower_administrators ---------------------------------- Added group "tower_administrators" ---------------------------------- Group name: tower_administrators GID: 477200013
Step 3 – Add the newly created user to my user group in IDM
root@idmng ~]# ipa group-add-member tower_administrators --users=tower_admin Group name: tower_administrators GID: 477200013 Member users: tower_admin ------------------------- Number of members added 1 -------------------------
Step 4 – On tower install the ldap client tools
root@tower ~]# yum install openldap-clients
Step 5 – Update the authentication settings on Tower
On tower 3.x edit the file /etc/etc/tower/conf.d with your favourite editor
[root@tower ]# vi /etc/tower/conf.d/ldap.py
Step 6 – Comment out the Active Directory imports
Below the comments at the top of the file, you will see the following
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion from django_auth_ldap.config import ActiveDirectoryGroupType
Comment out the ActiveDirectory line, and insert the GroupOfNamesType import so it looks like the following.
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion #from django_auth_ldap.config import ActiveDirectoryGroupType from django_auth_ldap.config import GroupOfNamesType
Step 7 – Configure the LDAP URI
Still in the ldap.py file you will find a line that starts with the token AUTH_LDAP_SERVER_URI.
Assuming you haven’t changed any ports, then modify to look similar to the following. This just tells Tower how to open a connection to the IDM/IPA server.
AUTH_LDAP_SERVER_URI = 'ldap://idmng.nixgeek.co.uk:389'
By default IPA/IDM allows LDAP connectifvity without forcing LDAPS. LDAPS is beyond the scope of this guide. I may add it later if there is an interest.
Step 8 – Configure the LDAP Bind
The next token we are looking for is AUTH_LDAP_BIND_DN. This Token tells Tower how to talk with the IPA/IDM server.
Here I’m putting the credentials of my IDM admin user in. Please don’t do this in the wild, putting your IDM admin password in plaintext is NOT_A_GOOD_IDEA(TM)
AUTH_LDAP_BIND_DN = 'uid=admin,CN=users,CN=accounts,DC=nixgeek,DC=co,DC=uk' AUTH_LDAP_BIND_PASSWORD = 'letmein123'
Step 9 – The user search
So the next token is the query that will be executed against the IDM server to establish if users are valid. By default, this is configured for Active directory, and will need to be changed for IDM/IPA.
You will need a block that looks similar to the following.
AUTH_LDAP_USER_SEARCH = LDAPSearch( 'cn=users,cn=accounts,dc=nixgeek,dc=co,dc=uk', # Base DN ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE '(uid=%(user)s)', # Query
Let’s look at this line by line
Execute an LDAP search against our IDM server
AUTH_LDAP_USER_SEARCH = LDAPSearch(
Specifying the path to our user accounts
'cn=users,cn=accounts,dc=nixgeek,dc=co,dc=uk', # Base DN
Querying subtrees of that path
ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
for a specific element that has the uid (username attribute in IDM/IPA) that matches the supplied username.
'(uid=%(user)s)', # Query
Step 10 – The group search
Next, we need to configure the group search
AUTH_LDAP_GROUP_SEARCH = LDAPSearch( 'cn=groups,cn=accounts,dc=nixgeek,dc=co,dc=uk', # Base DN ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE '(objectClass=ipausergroup)', # Query )
Step 11 – Ensure valid users MUST be members of our group
By setting the following, we can ensure valid users are both valid users, and also members of the correct group to log in. This means we can grant and revoke access to Tower by just adding and removing from a group.
AUTH_LDAP_REQUIRE_GROUP = 'cn=tower_administrators,cn=groups,cn=accounts,dc=nixgeek,dc=co,dc=uk'
That’s it, now save and exit the file.
Step 12 – Restart tower
[root@tower ~]# ansible-tower-service restart
Step 13 – Log in and profit!
You are now ready to log in and test.
I hope you found this useful. If you find any inaccuracies please let me know, and i’ll update them.
Versions of software
Red Hat IDM / FreeIPA -4.4.0 RHEL 7.3 Ansible Tower 3.0.3