netbox-community-netbox/docs/installation/4-ldap.md

This guide explains how to implement LDAP authentication using an external server. User authentication will fall back to built-in Django users in the event of a failure.

# Requirements

## Install openldap-devel

On Ubuntu:

```no-highlight
sudo apt-get install -y libldap2-dev libsasl2-dev libssl-dev
```

On CentOS:

```no-highlight
sudo yum install -y openldap-devel
```

## Install django-auth-ldap

```no-highlight
pip3 install django-auth-ldap
```

# Configuration

Create a file in the same directory as `configuration.py` (typically `netbox/netbox/`) named `ldap_config.py`. Define all of the parameters required below in `ldap_config.py`. Complete documentation of all `django-auth-ldap` configuration options is included in the project's [official documentation](http://django-auth-ldap.readthedocs.io/).

## General Server Configuration

!!! info
    When using Windows Server 2012 you may need to specify a port on `AUTH_LDAP_SERVER_URI`. Use `3269` for secure, or `3268` for non-secure.

```python
import ldap

# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://ad.example.com"

# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0
}

# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=NETBOXSA, OU=Service Accounts,DC=example,DC=com"
AUTH_LDAP_BIND_PASSWORD = "demo"

# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
```

STARTTLS can be configured by setting `AUTH_LDAP_START_TLS = True` and using the `ldap://` URI scheme.

## User Authentication

!!! info
    When using Windows Server 2012, `AUTH_LDAP_USER_DN_TEMPLATE` should be set to None.

```python
from django_auth_ldap.config import LDAPSearch

# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=example,dc=com",
                                    ldap.SCOPE_SUBTREE,
                                    "(sAMAccountName=%(user)s)")

# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"

# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "givenName",
    "last_name": "sn",
    "email": "mail"
}
```

# User Groups for Permissions
!!! info
    When using Microsoft Active Directory, support for nested groups can be activated by using `NestedGroupOfNamesType()` instead of `GroupOfNamesType()` for `AUTH_LDAP_GROUP_TYPE`. You will also need to modify the import line to use `NestedGroupOfNamesType` instead of `GroupOfNamesType` .

```python
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=example,dc=com", ldap.SCOPE_SUBTREE,
                                    "(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=NETBOX_USERS,DC=example,DC=com"

# Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = True

# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": "cn=active,ou=groups,dc=example,dc=com",
    "is_staff": "cn=staff,ou=groups,dc=example,dc=com",
    "is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"
}

# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
```

* `is_active` - All users must be mapped to at least this group to enable authentication. Without this, users cannot log in.
* `is_staff` - Users mapped to this group are enabled for access to the administration tools; this is the equivalent of checking the "staff status" box on a manually created user. This doesn't grant any specific permissions.
* `is_superuser` - Users mapped to this group will be granted superuser status. Superusers are implicitly granted all permissions.

# Troubleshooting LDAP

`supervisorctl restart netbox` restarts the Netbox service, and initiates any changes made to `ldap_config.py`. If there are syntax errors present, the NetBox process will not spawn an instance, and errors should be logged to `/var/log/supervisor/`.

For troubleshooting LDAP user/group queries, add the following lines to the start of `ldap_config.py` after `import ldap`.

```python
import logging, logging.handlers
logfile = "/opt/netbox/logs/django-ldap-debug.log"
my_logger = logging.getLogger('django_auth_ldap')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.RotatingFileHandler(
   logfile, maxBytes=1024 * 500, backupCount=5)
my_logger.addHandler(handler)
```

Ensure the file and path specified in logfile exist and are writable and executable by the application service account. Restart the netbox service and attempt to log into the site to trigger log entries to this file.
Fixed formatting and typos 2017-06-08 10:02:16 -04:00			`This guide explains how to implement LDAP authentication using an external server. User authentication will fall back to built-in Django users in the event of a failure.`
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00
			`# Requirements`

			`## Install openldap-devel`

			`On Ubuntu:`

Ditched syntax highlighting for shell commands 2016-11-30 12:07:51 -05:00			```no-highlight
Closes #2211: Removed Python 2 instructions from the installation docs 2018-07-02 16:33:18 -04:00			`sudo apt-get install -y libldap2-dev libsasl2-dev libssl-dev`
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			```

			`On CentOS:`

Ditched syntax highlighting for shell commands 2016-11-30 12:07:51 -05:00			```no-highlight
Closes #2211: Removed Python 2 instructions from the installation docs 2018-07-02 16:33:18 -04:00			`sudo yum install -y openldap-devel`
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			```

			`## Install django-auth-ldap`

Ditched syntax highlighting for shell commands 2016-11-30 12:07:51 -05:00			```no-highlight
Change pip command to pip3 2018-12-10 09:57:37 -05:00			`pip3 install django-auth-ldap`
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			```

			`# Configuration`

Closes #1775: Added instructions for enabling STARTTLS for LDAP authentication 2017-12-20 14:48:42 -05:00			Create a file in the same directory as `configuration.py` (typically `netbox/netbox/`) named `ldap_config.py`. Define all of the parameters required below in `ldap_config.py`. Complete documentation of all `django-auth-ldap` configuration options is included in the project's [official documentation](http://django-auth-ldap.readthedocs.io/).
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00
			`## General Server Configuration`

Formatting cleanup 2017-06-09 12:19:32 -04:00			`!!! info`
			When using Windows Server 2012 you may need to specify a port on `AUTH_LDAP_SERVER_URI`. Use `3269` for secure, or `3268` for non-secure.

Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			```python
			`import ldap`

			`# Server URI`
			`AUTH_LDAP_SERVER_URI = "ldaps://ad.example.com"`

			`# The following may be needed if you are binding to Active Directory.`
			`AUTH_LDAP_CONNECTION_OPTIONS = {`
			`ldap.OPT_REFERRALS: 0`
			`}`

			`# Set the DN and password for the NetBox service account.`
			`AUTH_LDAP_BIND_DN = "CN=NETBOXSA, OU=Service Accounts,DC=example,DC=com"`
			`AUTH_LDAP_BIND_PASSWORD = "demo"`

			`# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.`
			`# Note that this is a NetBox-specific setting which sets:`
			`# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)`
			`LDAP_IGNORE_CERT_ERRORS = True`
			```
Fixed formatting and typos 2017-06-08 10:02:16 -04:00
Closes #1775: Added instructions for enabling STARTTLS for LDAP authentication 2017-12-20 14:48:42 -05:00			STARTTLS can be configured by setting `AUTH_LDAP_START_TLS = True` and using the `ldap://` URI scheme.

Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			`## User Authentication`

Formatting cleanup 2017-06-09 12:19:32 -04:00			`!!! info`
Minor LDAP documentation formatting cleanup 2017-09-29 13:22:42 -04:00			When using Windows Server 2012, `AUTH_LDAP_USER_DN_TEMPLATE` should be set to None.
Formatting cleanup 2017-06-09 12:19:32 -04:00
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			```python
			`from django_auth_ldap.config import LDAPSearch`

			`# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's`
			`# username is not in their DN (Active Directory).`
			`AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=example,dc=com",`
			`ldap.SCOPE_SUBTREE,`
			`"(sAMAccountName=%(user)s)")`

			`# If a user's DN is producible from their username, we don't need to search.`
			`AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"`

			`# You can map user attributes to Django attributes as so.`
			`AUTH_LDAP_USER_ATTR_MAP = {`
			`"first_name": "givenName",`
Updated ldap.md Add mapping of `email` field to `mail` value in LDAP. Also remove duplicate entries of such mapping information. 2017-08-02 08:45:00 -06:00			`"last_name": "sn",`
			`"email": "mail"`
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			`}`
			```
Fixed formatting and typos 2017-06-08 10:02:16 -04:00
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			`# User Groups for Permissions`
Closes #1775: Added instructions for enabling STARTTLS for LDAP authentication 2017-12-20 14:48:42 -05:00			`!!! info`
More verbose LDAP nested groups documentation 2018-07-03 15:53:58 -07:00			When using Microsoft Active Directory, support for nested groups can be activated by using `NestedGroupOfNamesType()` instead of `GroupOfNamesType()` for `AUTH_LDAP_GROUP_TYPE`. You will also need to modify the import line to use `NestedGroupOfNamesType` instead of `GroupOfNamesType` .
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00
			```python
			`from django_auth_ldap.config import LDAPSearch, GroupOfNamesType`

			`# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group`
Propose fix typos (#1897) 2018-02-21 12:39:29 -05:00			`# hierarchy.`
Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			`AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=example,dc=com", ldap.SCOPE_SUBTREE,`
			`"(objectClass=group)")`
			`AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()`

			`# Define a group required to login.`
			`AUTH_LDAP_REQUIRE_GROUP = "CN=NETBOX_USERS,DC=example,DC=com"`

Closes #2537: Added AUTH_LDAP_MIRROR_GROUPS setting to LDAP docs 2018-12-19 16:24:41 -05:00			`# Mirror LDAP group assignments.`
			`AUTH_LDAP_MIRROR_GROUPS = True`

Enabled LDAP authentication 2016-07-08 17:09:35 -04:00			`# Define special user types using groups. Exercise great caution when assigning superuser status.`
			`AUTH_LDAP_USER_FLAGS_BY_GROUP = {`
			`"is_active": "cn=active,ou=groups,dc=example,dc=com",`
			`"is_staff": "cn=staff,ou=groups,dc=example,dc=com",`
			`"is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"`
			`}`

			`# For more granular permissions, we can map LDAP groups to Django groups.`
			`AUTH_LDAP_FIND_GROUP_PERMS = True`

			`# Cache groups for one hour to reduce LDAP traffic`
			`AUTH_LDAP_CACHE_GROUPS = True`
			`AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600`
			```
Enhance LDAP documentation Incorporating @marvnrawley's enhancements from #518 2017-04-13 17:03:58 -04:00
Fixed formatting and typos 2017-06-08 10:02:16 -04:00			* `is_active` - All users must be mapped to at least this group to enable authentication. Without this, users cannot log in.
			* `is_staff` - Users mapped to this group are enabled for access to the administration tools; this is the equivalent of checking the "staff status" box on a manually created user. This doesn't grant any specific permissions.
			* `is_superuser` - Users mapped to this group will be granted superuser status. Superusers are implicitly granted all permissions.
Updating LDAP documentation Adding information on service restarts and logging LDAP queries for troubleshooting. 2018-12-11 11:45:45 -06:00
			`# Troubleshooting LDAP`

Minor tweaks 2018-12-20 09:54:59 -05:00			`supervisorctl restart netbox` restarts the Netbox service, and initiates any changes made to `ldap_config.py`. If there are syntax errors present, the NetBox process will not spawn an instance, and errors should be logged to `/var/log/supervisor/`.
Updating LDAP documentation Adding information on service restarts and logging LDAP queries for troubleshooting. 2018-12-11 11:45:45 -06:00
			For troubleshooting LDAP user/group queries, add the following lines to the start of `ldap_config.py` after `import ldap`.

			```python
			`import logging, logging.handlers`
			`logfile = "/opt/netbox/logs/django-ldap-debug.log"`
			`my_logger = logging.getLogger('django_auth_ldap')`
			`my_logger.setLevel(logging.DEBUG)`
			`handler = logging.handlers.RotatingFileHandler(`
			`logfile, maxBytes=1024 * 500, backupCount=5)`
			`my_logger.addHandler(handler)`
			```

Minor tweaks 2018-12-20 09:54:59 -05:00			`Ensure the file and path specified in logfile exist and are writable and executable by the application service account. Restart the netbox service and attempt to log into the site to trigger log entries to this file.`