AWX (Ansible Tower) LDAP Authentication

Question

I have setup a single node AWX instance (Version 2.1.2) using Docker. Unfortunately the LDAP connection doesn't work through the following error message:

WARNING  django_auth_ldap Caught LDAPError while authenticating USERNAME: 
SERVER_DOWN({'info': 'error:14090086:SSL 
routines:ssl3_get_server_certificate:certificate verify failed (self signed 
certificate in certificate chain)', 'desc': "Can't contact LDAP server"},)

I already downloaded the intermediate cert and added it to the settings.py.

AUTH_LDAP_CONNECTION_OPTIONS = {
     ldap.OPT_REFERRALS: 0,
     ldap.OPT_X_TLS_CACERTFILE: '/etc/pki/ca-trust/source/anchors/generali- 
     ca.pem',
     ldap.OPT_NETWORK_TIMEOUT: 30,
     ldap.OPT_X_TLS_NEWCTX: 0
 }

If I query the API, the changes were in place.

Any idea how to resolve this issue?

Hi V.Widmer, welcome to SO. You mention the "intermediate" cert, but have you tried providing the whole chain, all the way up to the self-signed root? You may even experience better luck adding that cert chain to /etc/ssl/certs/ca-certificates or whatever CentOS uses, such that openssl s_client -connect would connect cleanly — mdaniel
Hi Matthew. Thank you very much for your input. Your approach actualy solved the issue. Many thanks. — V.Widmer

mdaniel mdaniel · Accepted Answer · 2018-12-21T17:18:39

You mention the "intermediate" cert, but it likely needs the whole chain, all the way up to the self-signed root.

Separately, you may even experience better luck adding that cert chain to /etc/ssl/certs/ca-certificates or whatever CentOS uses, such that openssl s_client -connect would connect cleanly. It can reduce the number of places that need to be taught about the upstream CA because the "machine" will trust the CA

AWX (Ansible Tower) LDAP Authentication

1 Answers