ldap users are converted into local accounts #11
Comments
Yes, I'm aware of this behaviour, as I struggled with it myself. I'm not sure how AWX marks users as being LDAP users. AFAIK, it must be through some special formed data in the pasword field, which I could not reproduce. You could not import any users, and restore all other objects, but that might yield errors for objects that are owned by an ldap user, failing of importing said object. You can import all users, import all other objects, then deleting al those users. When users then log in again, their proper ldap account is re-created. Depending on ldap group settings, you might need to re-assign users to specific groups then, and/or re-assign certain memberships. I don't have, better don't know the solution to this problem. We'd need to get info on how ldap users are stored in AWX. SO far I couldn't find this information. |
So tower-cli receive function does not dump the complete record for users which has the attrib 'ldap_dn' and external_account. |
the new awx kit doesn't seem to have the possibility to do some export as with tower-cli. In the new postgres database : select id, username from auth_user; copy/paste all the line except the 2 first in a file named "liste" in shell script : read -p "User : " bindDNUser
read -s -p "Password : " bindDNPass
echo ""
while read line; do
ID=$(echo $line | awk '{print $1}')
USER=$(echo $line | awk '{print $3}')
DN=$(echo $(ldapsearch -H ldaps://yourldapserver:port -D yourdomain\\$bindDNUser -w $bindDNPass -o ldif-wrap=no -b yourbaseuser -xLLL cn=$USER dn) | tr '[:upper:]' '[:lower:]' |sed 's/dn\: //g')
echo "UPDATE main_profile SET ldap_dn = \"$DN\" WHERE user_id like $ID;"
echo "UPDATE auth_user SET password='' where id=$ID;"
done < liste launch the script and copy/check/launch all the echoed line in the new postgres. All your ldap account will be considered as ldap again. |
Thanks @grimlokason that was a great steer, works well for me. |
We use ldap to authenticate. When importing on the new server the user accounts are converted into local accounts. I can delete them and login again and it will recreate, but it would be good to either not create ldap accounts or to create them as ldap.
The text was updated successfully, but these errors were encountered: