Ansible Tower LDAP member_attr error

[MAHDTech]

What does this PR do?

Removes the member_attr field from the template (which is added by default) by only specifying name_attr.

How should this be tested?

Run Ansible role

Is there a relevant Issue open for this?

N/A

Other Relevant info, PRs, etc.

The error received without this is as follows.

lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,474 WARNING  awx.conf.settings The current value "{'name_attr': 'cn', 'member_attr': 'member'}" for setting "AUTH_LDAP_GROUP_TYPE_PARAMS" is invalid.
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: Traceback (most recent call last):
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/awx/conf/settings.py", line 419, in _get_local
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     return field.run_validation(value)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/rest_framework/fields.py", line 568, in run_validation
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     value = self.to_internal_value(data)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/awx/sso/fields.py", line 510, in to_internal_value
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     self.fail('invalid_keys', invalid_keys=keys_display)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:   File "/var/lib/awx/venv/awx/lib64/python3.6/site-packages/rest_framework/fields.py", line 641, in fail
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]:     raise ValidationError(message_string, code=key)
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: rest_framework.exceptions.ValidationError: [ErrorDetail(string='Invalid key(s): "member_attr".', code='invalid_keys')]
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,745 INFO     awx.api.authentication User admin performed a PUT to /api/v2/settings/ldap/ through the API
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,838 WARNING  awx.main.wsbroadcast Adding {'ansible-tower-6999b4886f-9htqp'} to websocket broadcast list
lodestar-ansible-tower/ansible-tower-68cc697696-4xl6f[ansible-tower-web]: 2021-10-05 08:23:31,846 DEBUG    awx.main.wsbroadcast Connection from ansible-tower-68cc697696-4xl6f to 10.217.1.64 attempt number 0.

There are several documented workarounds and fixes, and some of the tests I completed results in errors such as;

# GroupOfNames OR MemberDNGroupType when member_attr field is included
lodestar-ansible-tower/ansible-tower-55b98b4594-kqmt9[ansible-tower-web]: 2021-10-12 04:47:52,209 DEBUG    django_auth_ldap uid=developer,cn=users,cn=accounts,dc=apps-crc,dc=testing is not a member of cn=lodestar-mgmt-users,cn=groups,cn=accounts,dc=apps-crc,dc=testing
lodestar-ansible-tower/ansible-tower-55b98b4594-kqmt9[ansible-tower-web]: 2021-10-12 04:47:52,209 DEBUG    django_auth_ldap Authentication failed for developer: user does not satisfy AUTH_LDAP_REQUIRE_GROUP

Removal of the member_attr field in conjunction with using GroupOfNamesType was the only pair that both allowed login and no errors appeared in the logs when tested with with FreeIPA v4.6.8

Other

• AWX #1883
• Django Lib
• More Django
• Defaults
• workaround 1
• workaround 2

People to notify

cc: @redhat-cop/infra-ansible

[oybed]

LGTM