Added an example of configuring Active Directory integration /Marcus Sjögren

2026-02-05 05:24:05 +00:00 · 2025-08-23 00:00:26 +02:00 · 2025-08-23 00:00:26 +02:00 · 150244c00e
commit 150244c00e
parent 1591936226
1 changed files with 63 additions and 1 deletions
--- a/LDAP.md
+++ b/LDAP.md
@ -57,4 +57,66 @@ services:
      AUTH_LDAP_ATTR_LASTNAME: "sn"
      AUTH_LDAP_ATTR_FIRSTNAME: "givenName"
      LDAP_IGNORE_CERT_ERRORS: "false"
-```
+```
+
+### Example override file for Active Directory.
+
+It is important to understand that the LDAP configuration in netbox-docker does not work in the same way as it does in normal installation of Netbox.
+
+All config is handled / controlled in the file netbox/configuration/ldap/*.py.
+The file ldap_config.py does 99% and extra.py includes group handling functions. 
+
+For group handling (such as become admin based on AD group) you MUST use extra.py.
+
+You can choose from adding your LDAP config to either "environment:" in docker-compose.yml or you can add it to the file env/netbox.env.
+
+When creating the below config, it is out most important that you check the base-dn of every object that you address, because it is very easy to make a mistake. For example, the base DN of the AD group "Domain Users" is "CN=Domain Users,CN=Users,OU=Groups,DC=domain,DC=local". Where the double CN attributes is the confusing part.
+
+The below config will enable to login using "username@domain.local", but you can change that by replacing userPrincipalName to samAccountName for example, or any other AD attribute really.
+
+This was tested against Cisco Duo Proxy LDAPS, but it's proxying towards Active Directory so it should work just fine with Active Directory directly.
+
+Last tips is that if you look at the Netbox LDAP Configuration, then try to find the value in netbox/config/ldap/ldap_config.py to understand how netbox-docker interprets it.
+
+```
+ENVIRNOMENT VARIABLES TO CONFIGURE:
+
+BANNER_LOGIN="Please authenticate using Active Directory"
+REMOTE_AUTH_ENABLED=True
+REMOTE_AUTH_BACKEND="netbox.authentication.LDAPBackend"
+AUTH_LDAP_SERVER_URI="ldaps://<ip-address of dc>:636"
+AUTH_LDAP_BIND_AS_AUTHENTICATING_USER=False
+
+LDAP_CA_CERT_DIR = "/etc/ssl/certs"
+LDAP_CA_CERT_FILE = "/etc/ssl/certs/my-root.pem"
+LDAP_IGNORE_CERT_ERRORS=False
+
+AUTH_LDAP_BIND_DN="CN=LDAP Bind,OU=<OU folder name>,DC=domain,DC=local"
+AUTH_LDAP_BIND_PASSWORD="<ldap bind account password>"
+AUTH_LDAP_USER_SEARCH=LDAPSearch("DC=domain,DC=local",ldap.SCOPE_SUBTREE,"((userPrincipalName=%(user)s))")
+AUTH_LDAP_USER_SEARCH_BASEDN: "OU=<OU folder name>,DC=domain,DC=local"
+AUTH_LDAP_GROUP_SEARCH_BASEDN: "OU=<OU folder name>,DC=domain,dc=local"
+
+AUTH_LDAP_USER_SEARCH_ATTR: "userPrincipalName"
+AUTH_LDAP_GROUP_SEARCH=LDAPSearch("CN=<Netbox AD group>,OU=<OU folder name>,dc=domain,dc=local",ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType
+
+AUTH_LDAP_CACHE_TIMEOUT = 300
+AUTH_LDAP_MIRROR_GROUPS = True
+```
+
+In order to make group to permission mapping, you must configure netbox/configuration/ldap/extra.py.
+This is an example of how to make all users with the AD-group "NetboxSuperUsers" superusers in Netbox automatically. Another example is already inside the extra.py file.
+
+```
+CONFIGURATION OF NETBOX/CONFIGURATION/LDAP/EXTRA.PY:
+
+from django_auth_ldap.config import LDAPGroupQuery
+
+AUTH_LDAP_REQUIRE_GROUP = (
+     LDAPGroupQuery(CN=NetboxSuperUsers,OU=<OU folder name>,DC=domain,DC=local")
+ )
+
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_superuser": "CN=NetboxSuperUsers,OU=<OU folder name>,DC=domain,DC=local",
+}