Ansible is a great orchestration tool. Ansible Tower is the enterprise version of Ansible adding features like a WebUI, RestAPI and others.
Tower has also some features like role-based access control allowing to control which user is allowed to run which playbooks on which infrastructure, servers and so on.
In larger environments, this is not done manually but using a centrally managed Identity Management System such as Redhat IdM with IPA or Microsoft Active Directory.
This post covers how to set up Ansible Tower to leverage the use of IPA features in a simple way. Its going to use one Organizaion.
License needed
Unfortunately Tower is not yet an open source with an upstream project, this will still take some time, please be patient. Please ensure you got a license for the “standard” or “premium” edition of Ansible Tower since this is a requirement for LDAP integration, please see https://www.ansible.com/tower-editions.
Preparation in IPA
Create a bind user for Ansible
ldapmodify -x -D 'cn=Directory Manager' -W <<EOF dn: uid=ansible,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: system userPassword: supersecret passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 EOF
Lets create the group in IPA
ipa2:~# ipa group-add --nonposix ansible ipa2:~# ipa group-add-member ansible --users=jdoe
The default behavior is that every user in IPA/LDAP can log in to Tower, if not assigned to a Team, the user has no privileges, however, this is not something you want. Therefore the group “ansible” is used to restrict logins to users of that group.
LDAP tree
Non-Kerberized Web application usually query the compat LDAP tree for authentication. However, the compat tree does not expose all the required LDAP attributes (yet) I.e sn or mail are missing. There is a request for enhancement pending, see also https://bugzilla.redhat.com/show_bug.cgi?id=1362272.
We are going to customize the LDAP queries for the “normal” LDAP tree in IPA. Unfortunately this means it only works with with users created in IPA. If you are using a cross domain trust with Microsoft Active directory, the AD users are not able to log in in Ansible Tower. In such a case, set up Ansible Tower to query AD directly.
Configuring Ansible Tower
Edit the file /etc/tower/conf.d/ldap.py and add/edit the following lines to be able to look up users and groups:
AUTH_LDAP_SERVER_URI = 'ldap://ipa2.example.com:389'
AUTH_LDAP_BIND_DN = 'uid=ansible,cn=sysaccounts,cn=etc,dc=example,dc=com'
AUTH_LDAP_BIND_PASSWORD = 'supersecret'
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'cn=users,cn=accounts,dc=example,dc=com',
ldap.SCOPE_SUBTREE,
'(uid=%(user)s)',
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
}
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
'cn=groups,cn=accounts,dc=example,dc=com', # Base DN
ldap.SCOPE_SUBTREE,
'(objectClass=group)',
)
If you want to prevent any user to login to Ansible Tower, you can restrict it to one group, in this example a user must be member of the group ansible to be able to log in. This is strongly recommended
AUTH_LDAP_REQUIRE_GROUP = 'cn=ansible,cn=groups,cn=accounts,dc=example,dc=com'
You can also define a ipa group which gets automatically the superuser role assigned.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
'is_superuser': 'cn=admins,cn=groups,cn=accounts,dc=example,dc=com',
}
Next will be how to auto assign users to teams, this will be done later in a separate post.
Have fun 🙂
Hi,
I’m working on FreeIPA, oVirt and Ansible and found many of your blogs useful. Thanks a lot.
I found that adding a service account to ldap will provide more access that just read only to users and groups. Do you have any suggestion on how to ‘lock it down’? https://www.redhat.com/archives/freeipa-users/2016-March/msg00191.html
Well… ACIs can be a solution. I don’t know if this is a supported