2017-06-08 10:02:16 -04:00
This guide explains how to implement LDAP authentication using an external server. User authentication will fall back to built-in Django users in the event of a failure.
2016-07-08 17:09:35 -04:00
# Requirements
## Install openldap-devel
On Ubuntu:
2016-11-30 12:07:51 -05:00
```no-highlight
2016-07-08 17:09:35 -04:00
sudo apt-get install -y python-dev libldap2-dev libsasl2-dev libssl-dev
```
On CentOS:
2016-11-30 12:07:51 -05:00
```no-highlight
2016-07-08 17:09:35 -04:00
sudo yum install -y python-devel openldap-devel
```
## Install django-auth-ldap
2016-11-30 12:07:51 -05:00
```no-highlight
2016-07-08 17:09:35 -04:00
sudo pip install django-auth-ldap
```
# Configuration
2017-12-20 14:48:42 -05:00
Create a file in the same directory as `configuration.py` (typically `netbox/netbox/` ) named `ldap_config.py` . Define all of the parameters required below in `ldap_config.py` . Complete documentation of all `django-auth-ldap` configuration options is included in the project's [official documentation ](http://django-auth-ldap.readthedocs.io/ ).
2016-07-08 17:09:35 -04:00
## General Server Configuration
2017-06-09 12:19:32 -04:00
!!! info
When using Windows Server 2012 you may need to specify a port on `AUTH_LDAP_SERVER_URI` . Use `3269` for secure, or `3268` for non-secure.
2016-07-08 17:09:35 -04:00
```python
import ldap
# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://ad.example.com"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=NETBOXSA, OU=Service Accounts,DC=example,DC=com"
AUTH_LDAP_BIND_PASSWORD = "demo"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
```
2017-06-08 10:02:16 -04:00
2017-12-20 14:48:42 -05:00
STARTTLS can be configured by setting `AUTH_LDAP_START_TLS = True` and using the `ldap://` URI scheme.
2016-07-08 17:09:35 -04:00
## User Authentication
2017-06-09 12:19:32 -04:00
!!! info
2017-09-29 13:22:42 -04:00
When using Windows Server 2012, `AUTH_LDAP_USER_DN_TEMPLATE` should be set to None.
2017-06-09 12:19:32 -04:00
2016-07-08 17:09:35 -04:00
```python
from django_auth_ldap.config import LDAPSearch
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=example,dc=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
2017-08-02 08:45:00 -06:00
"last_name": "sn",
"email": "mail"
2016-07-08 17:09:35 -04:00
}
```
2017-06-08 10:02:16 -04:00
2016-07-08 17:09:35 -04:00
# User Groups for Permissions
2017-12-20 14:48:42 -05:00
!!! info
2017-12-29 13:21:32 +01:00
When using Microsoft Active Directory, support for nested groups can be activated by using `NestedGroupOfNamesType()` instead of `GroupOfNamesType()` for `AUTH_LDAP_GROUP_TYPE` .
2016-07-08 17:09:35 -04:00
```python
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
2018-02-21 12:39:29 -05:00
# hierarchy.
2016-07-08 17:09:35 -04:00
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=example,dc=com", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=NETBOX_USERS,DC=example,DC=com"
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "cn=active,ou=groups,dc=example,dc=com",
"is_staff": "cn=staff,ou=groups,dc=example,dc=com",
"is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
```
2017-04-13 17:03:58 -04:00
2017-06-08 10:02:16 -04:00
* `is_active` - All users must be mapped to at least this group to enable authentication. Without this, users cannot log in.
* `is_staff` - Users mapped to this group are enabled for access to the administration tools; this is the equivalent of checking the "staff status" box on a manually created user. This doesn't grant any specific permissions.
* `is_superuser` - Users mapped to this group will be granted superuser status. Superusers are implicitly granted all permissions.
