ansible · TheRealHaoLiu · Oct 2, 2024 · Aug 27, 2024
diff --git a/Makefile b/Makefile
@@ -33,8 +33,6 @@ MAIN_NODE_TYPE ?= hybrid
 PGBOUNCER ?= false
 # If set to true docker-compose will also start a keycloak instance
 KEYCLOAK ?= false
-# If set to true docker-compose will also start an ldap instance
-LDAP ?= false
 # If set to true docker-compose will also start a splunk instance
 SPLUNK ?= false
 # If set to true docker-compose will also start a prometheus instance
@@ -508,7 +506,6 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e minikube_container_group=$(MINIKUBE_CONTAINER_GROUP) \
 	    -e enable_pgbouncer=$(PGBOUNCER) \
 	    -e enable_keycloak=$(KEYCLOAK) \
-	    -e enable_ldap=$(LDAP) \
 	    -e enable_splunk=$(SPLUNK) \
 	    -e enable_prometheus=$(PROMETHEUS) \
 	    -e enable_grafana=$(GRAFANA) \
@@ -525,8 +522,7 @@ docker-compose: awx/projects docker-compose-sources
 	ansible-galaxy install --ignore-certs -r tools/docker-compose/ansible/requirements.yml;
 	$(ANSIBLE_PLAYBOOK) -i tools/docker-compose/inventory tools/docker-compose/ansible/initialize_containers.yml \
 	    -e enable_vault=$(VAULT) \
-	    -e vault_tls=$(VAULT_TLS) \
-	    -e enable_ldap=$(LDAP); \
+	    -e vault_tls=$(VAULT_TLS); \
 	$(MAKE) docker-compose-up
 
 docker-compose-up:
@@ -598,7 +594,7 @@ docker-clean:
 	-$(foreach image_id,$(shell docker images --filter=reference='*/*/*awx_devel*' --filter=reference='*/*awx_devel*' --filter=reference='*awx_devel*' -aq),docker rmi --force $(image_id);)
 
 docker-clean-volumes: docker-compose-clean docker-compose-container-group-clean
-	docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_ldap_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
+	docker volume rm -f tools_var_lib_awx tools_awx_db tools_awx_db_15 tools_vault_1 tools_grafana_storage tools_prometheus_storage $(shell docker volume ls --filter name=tools_redis_socket_ -q)
 
 docker-refresh: docker-clean docker-compose
 

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
@@ -961,7 +961,6 @@ def get_types(self):
 
 class UserSerializer(BaseSerializer):
     password = serializers.CharField(required=False, default='', help_text=_('Field used to change the password.'))
-    ldap_dn = serializers.CharField(source='profile.ldap_dn', read_only=True)
     external_account = serializers.SerializerMethodField(help_text=_('Set if the account is managed by an external service'))
     is_system_auditor = serializers.BooleanField(default=False)
     show_capabilities = ['edit', 'delete']
@@ -979,7 +978,6 @@ class Meta:
             'is_superuser',
             'is_system_auditor',
             'password',
-            'ldap_dn',
             'last_login',
             'external_account',
         )
@@ -1028,8 +1026,10 @@ def validate_password(self, value):
 
     def _update_password(self, obj, new_password):
         # For now we're not raising an error, just not saving password for
-        # users managed by LDAP who already have an unusable password set.
-        # Get external password will return something like ldap or enterprise or None if the user isn't external. We only want to allow a password update for a None option
+        # users managed by external authentication services (who already have an unusable password set).
+        # get_external_account function will return something like social or enterprise when the user is external,
+        # and return None when the user isn't external.
+        # We want to allow a password update only for non-external accounts.
         if new_password and new_password != '$encrypted$' and not self.get_external_account(obj):
             obj.set_password(new_password)
             obj.save(update_fields=['password'])
@@ -1085,37 +1085,6 @@ def get_related(self, obj):
         )
         return res
 
-    def _validate_ldap_managed_field(self, value, field_name):
-        if not getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
-            return value
-        try:
-            is_ldap_user = bool(self.instance and self.instance.profile.ldap_dn)
-        except AttributeError:
-            is_ldap_user = False
-        if is_ldap_user:
-            ldap_managed_fields = ['username']
-            ldap_managed_fields.extend(getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
-            ldap_managed_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
-            if field_name in ldap_managed_fields:
-                if value != getattr(self.instance, field_name):
-                    raise serializers.ValidationError(_('Unable to change %s on user managed by LDAP.') % field_name)
-        return value
-
-    def validate_username(self, value):
-        return self._validate_ldap_managed_field(value, 'username')
-
-    def validate_first_name(self, value):
-        return self._validate_ldap_managed_field(value, 'first_name')
-
-    def validate_last_name(self, value):
-        return self._validate_ldap_managed_field(value, 'last_name')
-
-    def validate_email(self, value):
-        return self._validate_ldap_managed_field(value, 'email')
-
-    def validate_is_superuser(self, value):
-        return self._validate_ldap_managed_field(value, 'is_superuser')
-
 
 class UserActivityStreamSerializer(UserSerializer):
     """Changes to system auditor status are shown as separate entries,

diff --git a/awx/api/views/root.py b/awx/api/views/root.py
@@ -295,15 +295,6 @@ def get(self, request, format=None):
             become_methods=PRIVILEGE_ESCALATION_METHODS,
         )
 
-        # If LDAP is enabled, user_ldap_fields will return a list of field
-        # names that are managed by LDAP and should be read-only for users with
-        # a non-empty ldap_dn attribute.
-        if getattr(settings, 'AUTH_LDAP_SERVER_URI', None):
-            user_ldap_fields = ['username', 'password']
-            user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_ATTR_MAP', {}).keys())
-            user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
-            data['user_ldap_fields'] = user_ldap_fields
-
         if (
             request.user.is_superuser
             or request.user.is_system_auditor

diff --git a/awx/conf/migrations/0006_v331_ldap_group_type.py b/awx/conf/migrations/0006_v331_ldap_group_type.py
@@ -1,13 +1,11 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 
-# AWX
-from awx.conf.migrations._ldap_group_type import fill_ldap_group_type_params
-
 from django.db import migrations
 
 
 class Migration(migrations.Migration):
     dependencies = [('conf', '0005_v330_rename_two_session_settings')]
 
-    operations = [migrations.RunPython(fill_ldap_group_type_params)]
+    # this migration is doing nothing, and is here to preserve migrations files integrity
+    operations = []
diff --git a/awx/conf/migrations/0011_remove_ldap_auth_conf.py b/awx/conf/migrations/0011_remove_ldap_auth_conf.py
@@ -0,0 +1,115 @@
+from django.db import migrations
+
+LDAP_AUTH_CONF_KEYS = [
+    'AUTH_LDAP_SERVER_URI',
+    'AUTH_LDAP_BIND_DN',
+    'AUTH_LDAP_BIND_PASSWORD',
+    'AUTH_LDAP_START_TLS',
+    'AUTH_LDAP_CONNECTION_OPTIONS',
+    'AUTH_LDAP_USER_SEARCH',
+    'AUTH_LDAP_USER_DN_TEMPLATE',
+    'AUTH_LDAP_USER_ATTR_MAP',
+    'AUTH_LDAP_GROUP_SEARCH',
+    'AUTH_LDAP_GROUP_TYPE',
+    'AUTH_LDAP_GROUP_TYPE_PARAMS',
+    'AUTH_LDAP_REQUIRE_GROUP',
+    'AUTH_LDAP_DENY_GROUP',
+    'AUTH_LDAP_USER_FLAGS_BY_GROUP',
+    'AUTH_LDAP_ORGANIZATION_MAP',
+    'AUTH_LDAP_TEAM_MAP',
+    'AUTH_LDAP_1_SERVER_URI',
+    'AUTH_LDAP_1_BIND_DN',
+    'AUTH_LDAP_1_BIND_PASSWORD',
+    'AUTH_LDAP_1_START_TLS',
+    'AUTH_LDAP_1_CONNECTION_OPTIONS',
+    'AUTH_LDAP_1_USER_SEARCH',
+    'AUTH_LDAP_1_USER_DN_TEMPLATE',
+    'AUTH_LDAP_1_USER_ATTR_MAP',
+    'AUTH_LDAP_1_GROUP_SEARCH',
+    'AUTH_LDAP_1_GROUP_TYPE',
+    'AUTH_LDAP_1_GROUP_TYPE_PARAMS',
+    'AUTH_LDAP_1_REQUIRE_GROUP',
+    'AUTH_LDAP_1_DENY_GROUP',
+    'AUTH_LDAP_1_USER_FLAGS_BY_GROUP',
+    'AUTH_LDAP_1_ORGANIZATION_MAP',
+    'AUTH_LDAP_1_TEAM_MAP',
+    'AUTH_LDAP_2_SERVER_URI',
+    'AUTH_LDAP_2_BIND_DN',
+    'AUTH_LDAP_2_BIND_PASSWORD',
+    'AUTH_LDAP_2_START_TLS',
+    'AUTH_LDAP_2_CONNECTION_OPTIONS',
+    'AUTH_LDAP_2_USER_SEARCH',
+    'AUTH_LDAP_2_USER_DN_TEMPLATE',
+    'AUTH_LDAP_2_USER_ATTR_MAP',
+    'AUTH_LDAP_2_GROUP_SEARCH',
+    'AUTH_LDAP_2_GROUP_TYPE',
+    'AUTH_LDAP_2_GROUP_TYPE_PARAMS',
+    'AUTH_LDAP_2_REQUIRE_GROUP',
+    'AUTH_LDAP_2_DENY_GROUP',
+    'AUTH_LDAP_2_USER_FLAGS_BY_GROUP',
+    'AUTH_LDAP_2_ORGANIZATION_MAP',
+    'AUTH_LDAP_2_TEAM_MAP',
+    'AUTH_LDAP_3_SERVER_URI',
+    'AUTH_LDAP_3_BIND_DN',
+    'AUTH_LDAP_3_BIND_PASSWORD',
+    'AUTH_LDAP_3_START_TLS',
+    'AUTH_LDAP_3_CONNECTION_OPTIONS',
+    'AUTH_LDAP_3_USER_SEARCH',
+    'AUTH_LDAP_3_USER_DN_TEMPLATE',
+    'AUTH_LDAP_3_USER_ATTR_MAP',
+    'AUTH_LDAP_3_GROUP_SEARCH',
+    'AUTH_LDAP_3_GROUP_TYPE',
+    'AUTH_LDAP_3_GROUP_TYPE_PARAMS',
+    'AUTH_LDAP_3_REQUIRE_GROUP',
+    'AUTH_LDAP_3_DENY_GROUP',
+    'AUTH_LDAP_3_USER_FLAGS_BY_GROUP',
+    'AUTH_LDAP_3_ORGANIZATION_MAP',
+    'AUTH_LDAP_3_TEAM_MAP',
+    'AUTH_LDAP_4_SERVER_URI',
+    'AUTH_LDAP_4_BIND_DN',
+    'AUTH_LDAP_4_BIND_PASSWORD',
+    'AUTH_LDAP_4_START_TLS',
+    'AUTH_LDAP_4_CONNECTION_OPTIONS',
+    'AUTH_LDAP_4_USER_SEARCH',
+    'AUTH_LDAP_4_USER_DN_TEMPLATE',
+    'AUTH_LDAP_4_USER_ATTR_MAP',
+    'AUTH_LDAP_4_GROUP_SEARCH',
+    'AUTH_LDAP_4_GROUP_TYPE',
+    'AUTH_LDAP_4_GROUP_TYPE_PARAMS',
+    'AUTH_LDAP_4_REQUIRE_GROUP',
+    'AUTH_LDAP_4_DENY_GROUP',
+    'AUTH_LDAP_4_USER_FLAGS_BY_GROUP',
+    'AUTH_LDAP_4_ORGANIZATION_MAP',
+    'AUTH_LDAP_4_TEAM_MAP',
+    'AUTH_LDAP_5_SERVER_URI',
+    'AUTH_LDAP_5_BIND_DN',
+    'AUTH_LDAP_5_BIND_PASSWORD',
+    'AUTH_LDAP_5_START_TLS',
+    'AUTH_LDAP_5_CONNECTION_OPTIONS',
+    'AUTH_LDAP_5_USER_SEARCH',
+    'AUTH_LDAP_5_USER_DN_TEMPLATE',
+    'AUTH_LDAP_5_USER_ATTR_MAP',
+    'AUTH_LDAP_5_GROUP_SEARCH',
+    'AUTH_LDAP_5_GROUP_TYPE',
+    'AUTH_LDAP_5_GROUP_TYPE_PARAMS',
+    'AUTH_LDAP_5_REQUIRE_GROUP',
+    'AUTH_LDAP_5_DENY_GROUP',
+    'AUTH_LDAP_5_USER_FLAGS_BY_GROUP',
+    'AUTH_LDAP_5_ORGANIZATION_MAP',
+    'AUTH_LDAP_5_TEAM_MAP',
+]
+
+
+def remove_ldap_auth_conf(apps, scheme_editor):
+    setting = apps.get_model('conf', 'Setting')
+    setting.objects.filter(key__in=LDAP_AUTH_CONF_KEYS).delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('conf', '0010_change_to_JSONField'),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_ldap_auth_conf),
+    ]
diff --git a/awx/conf/migrations/_ldap_group_type.py b/awx/conf/migrations/_ldap_group_type.py
diff --git a/awx/conf/signals.py b/awx/conf/signals.py
@@ -73,6 +73,6 @@
 
         logger.warning("Triggering token invalidation for local users.")
 
-        qs = User.objects.filter(profile__ldap_dn='', enterprise_auth__isnull=True, social_auth__isnull=True)
+        qs = User.objects.filter(enterprise_auth__isnull=True, social_auth__isnull=True)
         revoke_tokens(RefreshToken.objects.filter(revoked=None, user__in=qs))
         revoke_tokens(OAuth2AccessToken.objects.filter(user__in=qs))
diff --git a/awx/conf/tests/functional/test_migrations.py b/awx/conf/tests/functional/test_migrations.py
diff --git a/awx/main/access.py b/awx/main/access.py
@@ -642,10 +642,7 @@ class UserAccess(BaseAccess):
     """
 
     model = User
-    prefetch_related = (
-        'profile',
-        'resource',
-    )
+    prefetch_related = ('resource',)
 
     def filtered_queryset(self):
         if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and (self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()):