awx-migrate icon indicating copy to clipboard operation
awx-migrate copied to clipboard

Published 20 hours ago verified publisher icon autops

ldap users are converted into local accounts

Open richardsonky opened this issue 5 years ago • 4 comments

We use ldap to authenticate. When importing on the new server the user accounts are converted into local accounts. I can delete them and login again and it will recreate, but it would be good to either not create ldap accounts or to create them as ldap.

richardsonky avatar Jul 09 '19 15:07 richardsonky

Yes, I'm aware of this behaviour, as I struggled with it myself. I'm not sure how AWX marks users as being LDAP users. AFAIK, it must be through some special formed data in the pasword field, which I could not reproduce.

You could not import any users, and restore all other objects, but that might yield errors for objects that are owned by an ldap user, failing of importing said object.

You can import all users, import all other objects, then deleting al those users. When users then log in again, their proper ldap account is re-created. Depending on ldap group settings, you might need to re-assign users to specific groups then, and/or re-assign certain memberships.

I don't have, better don't know the solution to this problem. We'd need to get info on how ldap users are stored in AWX. SO far I couldn't find this information.

srgvg avatar Jul 18 '19 13:07 srgvg

So tower-cli receive function does not dump the complete record for users which has the attrib 'ldap_dn' and external_account. Since the tower-cli util is not being developed you may want to look at a script that uses the new awxkit (part of new versions of awx) and do a bit of back and forth parsing

fischerdr avatar Dec 02 '19 20:12 fischerdr

the new awx kit doesn't seem to have the possibility to do some export as with tower-cli. But with tower-cli/awx-migrate we can fix it with some action directly in database :

In the new postgres database :

select id, username from auth_user;

copy/paste all the line except the 2 first in a file named "liste" Delete line that doesn't concern ldap acount

in shell script :

read -p "User : " bindDNUser
read -s -p "Password : " bindDNPass
echo ""
while read line; do
ID=$(echo $line | awk '{print $1}')
USER=$(echo $line | awk '{print $3}')
DN=$(echo $(ldapsearch -H ldaps://yourldapserver:port -D yourdomain\\$bindDNUser -w $bindDNPass -o ldif-wrap=no -b yourbaseuser -xLLL cn=$USER dn) | tr '[:upper:]' '[:lower:]' |sed 's/dn\: //g')
echo "UPDATE main_profile SET ldap_dn = \"$DN\" WHERE user_id like $ID;"
echo "UPDATE auth_user SET password='' where id=$ID;"
done < liste

launch the script and copy/check/launch all the echoed line in the new postgres.

All your ldap account will be considered as ldap again.

grimlokason avatar Dec 04 '19 15:12 grimlokason

Thanks @grimlokason that was a great steer, works well for me.

RobertGwilliam avatar Dec 11 '19 21:12 RobertGwilliam