Skip to content
This repository has been archived by the owner on Nov 5, 2020. It is now read-only.

ldap users are converted into local accounts #11

Open
richardsonky opened this issue Jul 9, 2019 · 4 comments
Open

ldap users are converted into local accounts #11

richardsonky opened this issue Jul 9, 2019 · 4 comments
Labels
help wanted Extra attention is needed

Comments

@richardsonky
Copy link

We use ldap to authenticate. When importing on the new server the user accounts are converted into local accounts. I can delete them and login again and it will recreate, but it would be good to either not create ldap accounts or to create them as ldap.
@srgvg srgvg added the help wanted Extra attention is needed label Jul 18, 2019
@srgvg
Copy link
Contributor

srgvg commented Jul 18, 2019

Yes, I'm aware of this behaviour, as I struggled with it myself. I'm not sure how AWX marks users as being LDAP users. AFAIK, it must be through some special formed data in the pasword field, which I could not reproduce.

You could not import any users, and restore all other objects, but that might yield errors for objects that are owned by an ldap user, failing of importing said object.

You can import all users, import all other objects, then deleting al those users. When users then log in again, their proper ldap account is re-created. Depending on ldap group settings, you might need to re-assign users to specific groups then, and/or re-assign certain memberships.

I don't have, better don't know the solution to this problem. We'd need to get info on how ldap users are stored in AWX. SO far I couldn't find this information.

@fischerdr
Copy link

So tower-cli receive function does not dump the complete record for users which has the attrib 'ldap_dn' and external_account.
Since the tower-cli util is not being developed you may want to look at a script that uses the new awxkit (part of new versions of awx) and do a bit of back and forth parsing

@grimlokason
Copy link

the new awx kit doesn't seem to have the possibility to do some export as with tower-cli.
But with tower-cli/awx-migrate we can fix it with some action directly in database :

In the new postgres database :

select id, username from auth_user;

copy/paste all the line except the 2 first in a file named "liste"
Delete line that doesn't concern ldap acount

in shell script :

read -p "User : " bindDNUser
read -s -p "Password : " bindDNPass
echo ""
while read line; do
ID=$(echo $line | awk '{print $1}')
USER=$(echo $line | awk '{print $3}')
DN=$(echo $(ldapsearch -H ldaps://yourldapserver:port -D yourdomain\\$bindDNUser -w $bindDNPass -o ldif-wrap=no -b yourbaseuser -xLLL cn=$USER dn) | tr '[:upper:]' '[:lower:]' |sed 's/dn\: //g')
echo "UPDATE main_profile SET ldap_dn = \"$DN\" WHERE user_id like $ID;"
echo "UPDATE auth_user SET password='' where id=$ID;"
done < liste

launch the script and copy/check/launch all the echoed line in the new postgres.

All your ldap account will be considered as ldap again.

@RobertGwilliam
Copy link

Thanks @grimlokason that was a great steer, works well for me.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fischerdr @srgvg @grimlokason @RobertGwilliam @richardsonky