Problems with custom user groups and LDAP authentication

3,702 views
Skip to first unread message

Sylaan K'daar

unread,
Jul 3, 2018, 4:54:10 AM7/3/18
to NetBox
Hi all, 

We currently have Netbox running (latest version, 2.3.5) and we're using LDAP authentication, active directory backend, which works fine. Before, the people using Netbox were not many so we just had them all in the is_superuser group while we got everything up and running.

Now the are more people using it and since they don't need to have all permissions, I tried to make it work with custom groups. I created a group ipam_admin with rights only on the IPAM section and my LDAP section looks like this:

AUTH_LDAP_REQUIRE_GROUP = (
    (
        LDAPGroupQuery("CN=All Users,OU=Groups,OU=Network,DC=corp,DC=com")
    )
)

# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_staff": (
        LDAPGroupQuery("CN=Admins,OU=Groups,OU=Network,DC=corp,DC=com")
    ),
    "is_active": (
        LDAPGroupQuery("CN=All users,OU=Groups,OU=Network,DC=corp,DC=com")
    ),
    "is_ipam_admin": (
        LDAPGroupQuery("CN=Technical-Support,OU=Groups,OU=Network,DC=corp,DC=com")
    ),
    "is_superuser": (
        LDAPGroupQuery("CN=Admins,OU=Groups,OU=Network,DC=corp,DC=com")
        )
}


The problem is, this is not working as I expect it to. A user part of the AD group Technical-Supports can log in (becasue of the required section and the is_active) but they have only read-only access. Of course, if I move the LDAPGroupQuery line for the Technical-Support group to the is_superuser section then all is fine. I just don't want those people to have superuser rights. 

Any idea what I am doing wrong ? I tried to play with the group names (i.e. rename the Django group is_ipam_admin instead of ipam_admin) but nothing helped. Is that "is_" prefix some sort of special string ? 

I would appreciate any help,

Regards,
Stefan

Brian Candler

unread,
Jul 3, 2018, 6:02:53 AM7/3/18
to NetBox
Have you set AUTH_LDAP_FIND_GROUP_PERMS = True ?  And also AUTH_LDAP_GROUP_SEARCH and AUTH_LDAP_GROUP_TYPE?

is_active, is_staff, is_superuser are hard-coded concepts, separate from the concept of groups.  Observe that a default Netbox installation has no groups created, but you can have users with these flags.

What you want is to map LDAP groups to Django groups, and that's not done using "is_xxx" but using a group search, and defining a group type which is one of the concrete subclasses of LDAPGroupType.  See:


The default (name_attr='cn') takes the leading CN part of the group name, so for example someone in LDAP group CN=Technical-Support,OU=Groups,OU=Network,DC=corp,DC=com will be in a Netbox/Django group called "Technical-Support", not "ipam_admin".

If you want to map Technical-Support to ipam_admin, you'll need to code your own subclass of LDAPGroupType.  Or you can just create a group called Technical-Support and add permissions to that.

Stefan

unread,
Jul 3, 2018, 6:16:15 AM7/3/18
to NetBox
Thanks for the info, Brian. 

Yes, I do have those things set up but my AUTH_LDAP_GROUP_TYPE is set to NestedGroupOfNamesType(), since our users are organized in all sorts of nested groups:

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=Groups,OU=Network,DC=corp,DC=com", ldap.SCOPE_SUBTREE,"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
AUTH_LDAP_FIND_GROUP_PERMS = True

My problem is that we have multiple AD groups of people and all need IPAM-only access. I thought I could have one single Django group (ipam_admin) and somehow add muliple AD groups to it. I guess the solution here would be to create multiple Django groups with the name equal to the CN of the AD groups DN (i.e. Technical-Support in my example, and others) ?



I will give that a try, with the LDAPGroupType

Frank Mogaddedi

unread,
Jul 3, 2018, 6:44:44 AM7/3/18
to NetBox

If I understand correctly, you want to do something similar to this? (if I misunderstood, sorry…)


from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, NestedGroupOfNamesType, LDAPGroupQuery

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("DC=corp,DC=local", ldap.SCOPE_SUBTREE,

                                    "(objectClass=group)")

 

AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()

AUTH_LDAP_REQUIRE_GROUP = (

        LDAPGroupQuery("CN=minions,OU=Groups,OU=Global,OU=Sites,DC=corp,DC=local") |

        LDAPGroupQuery("CN=more_minions,OU=Groups,OU=Global,OU=Sites,DC=corp,DC=local") |

        LDAPGroupQuery("cn=bigshots,ou=Groups,ou=Global,ou=Sites,dc=corp,dc=local")

)

 

# Define special user types using groups. Exercise great caution when assigning superuser status.

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "is_active":    [ "cn=minions,ou=Groups,ou=Global,ou=Sites,dc=corp,dc=local",

                     "cn=more_minions,ou=Groups,ou=Global,ou=Sites,dc=corp,dc=local",

                     "cn=bigshots,ou=Groups,ou=Global,ou=Sites,dc=corp,dc=local"],

    "is_staff":     ["cn=minions,ou=Groups,ou=Global,ou=Sites,dc=corp,dc=local",

                     "cn=bigshots,ou=Groups,ou=Global,ou=Sites,dc=corp,dc=local"],

    "is_superuser": "cn=network-gods,ou=Groups,ou=Global,ou=Sites,dc=corp,dc=local"

}

# For more granular permissions, we can map LDAP groups to Django groups.

AUTH_LDAP_FIND_GROUP_PERMS = True


And yes, users who are in “network-gods” would probably also have to be in one of the “require” groups in my case.

 

HTH,


    Frank

--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discus...@googlegroups.com.
To post to this group, send email to netbox-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/f83b0cf9-eb92-49e9-993f-6dad47bfbcc3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Stefan

unread,
Jul 3, 2018, 9:22:06 AM7/3/18
to NetBox
That seems to work only with the 3 built-in Netbox groups (is_active, is_staff and is_superadmin). For custom Django groups, it seems the Django group name has to match the AD/LDAP group name (the CN attribute). I'll test as soon as I get a chance.

Stefan

unread,
Jul 5, 2018, 8:28:12 AM7/5/18
to NetBox
In the end it worked by adding the following to AUTH_LDAP_USER_FLAGS_BY_GROUP:

    "Group1": [ "CN=Group1,OU=Groups,OU=Network,DC=corp,DC=com" ],
    "Group2": [ "CN=Group2,OU=Groups,OU=Network,DC=corp,DC=com" ],
    "Group3": [ "CN=Group3,OU=Groups,OU=Network,DC=corp,DC=com" ],
    "Group4": [ "CN=Group4,OU=Groups,OU=Network,DC=corp,DC=com" ],


I also had to create those Django groups in the admin section. Thanks for all the help. 

Regards,
Stefan
Reply all
Reply to author
Forward
0 new messages