diff --git a/LDAP.md b/LDAP.md index 69a75ef..1a51d96 100644 --- a/LDAP.md +++ b/LDAP.md @@ -57,4 +57,66 @@ services: AUTH_LDAP_ATTR_LASTNAME: "sn" AUTH_LDAP_ATTR_FIRSTNAME: "givenName" LDAP_IGNORE_CERT_ERRORS: "false" -``` \ No newline at end of file +``` + +### Example override file for Active Directory. + +It is important to understand that the LDAP configuration in netbox-docker does not work in the same way as it does in normal installation of Netbox. + +All config is handled / controlled in the file netbox/configuration/ldap/*.py. +The file ldap_config.py does 99% and extra.py includes group handling functions. + +For group handling (such as become admin based on AD group) you MUST use extra.py. + +You can choose from adding your LDAP config to either "environment:" in docker-compose.yml or you can add it to the file env/netbox.env. + +When creating the below config, it is out most important that you check the base-dn of every object that you address, because it is very easy to make a mistake. For example, the base DN of the AD group "Domain Users" is "CN=Domain Users,CN=Users,OU=Groups,DC=domain,DC=local". Where the double CN attributes is the confusing part. + +The below config will enable to login using "username@domain.local", but you can change that by replacing userPrincipalName to samAccountName for example, or any other AD attribute really. + +This was tested against Cisco Duo Proxy LDAPS, but it's proxying towards Active Directory so it should work just fine with Active Directory directly. + +Last tips is that if you look at the Netbox LDAP Configuration, then try to find the value in netbox/config/ldap/ldap_config.py to understand how netbox-docker interprets it. + +``` +ENVIRNOMENT VARIABLES TO CONFIGURE: + +BANNER_LOGIN="Please authenticate using Active Directory" +REMOTE_AUTH_ENABLED=True +REMOTE_AUTH_BACKEND="netbox.authentication.LDAPBackend" +AUTH_LDAP_SERVER_URI="ldaps://:636" +AUTH_LDAP_BIND_AS_AUTHENTICATING_USER=False + +LDAP_CA_CERT_DIR = "/etc/ssl/certs" +LDAP_CA_CERT_FILE = "/etc/ssl/certs/my-root.pem" +LDAP_IGNORE_CERT_ERRORS=False + +AUTH_LDAP_BIND_DN="CN=LDAP Bind,OU=,DC=domain,DC=local" +AUTH_LDAP_BIND_PASSWORD="" +AUTH_LDAP_USER_SEARCH=LDAPSearch("DC=domain,DC=local",ldap.SCOPE_SUBTREE,"((userPrincipalName=%(user)s))") +AUTH_LDAP_USER_SEARCH_BASEDN: "OU=,DC=domain,DC=local" +AUTH_LDAP_GROUP_SEARCH_BASEDN: "OU=,DC=domain,dc=local" + +AUTH_LDAP_USER_SEARCH_ATTR: "userPrincipalName" +AUTH_LDAP_GROUP_SEARCH=LDAPSearch("CN=,OU=,dc=domain,dc=local",ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)") +AUTH_LDAP_GROUP_TYPE = GroupOfNamesType + +AUTH_LDAP_CACHE_TIMEOUT = 300 +AUTH_LDAP_MIRROR_GROUPS = True +``` + +In order to make group to permission mapping, you must configure netbox/configuration/ldap/extra.py. +This is an example of how to make all users with the AD-group "NetboxSuperUsers" superusers in Netbox automatically. Another example is already inside the extra.py file. + +``` +CONFIGURATION OF NETBOX/CONFIGURATION/LDAP/EXTRA.PY: + +from django_auth_ldap.config import LDAPGroupQuery + +AUTH_LDAP_REQUIRE_GROUP = ( + LDAPGroupQuery(CN=NetboxSuperUsers,OU=,DC=domain,DC=local") + ) + +AUTH_LDAP_USER_FLAGS_BY_GROUP = { + "is_superuser": "CN=NetboxSuperUsers,OU=,DC=domain,DC=local", +} \ No newline at end of file