LDAP and Automatic Group Assignment

[Antti Hurme]

I've been struggling to figure out how to assign LDAP users to a netbox group automatically. I've made a group in netbox admin, that has the desired permissions and the group is named the same as the group in LDAP. But for now, I've had to add users manually to this group. What am I missing?

[Antti Hurme]

Found this in a previous thread but it doesn't seem to work;

In case anyone needs to do the same thing, I found the config here in the Django docs.

AUTH_LDAP_PROFILE_FLAGS_BY_GROUP = {

   "is_nameofgroup": ["cn=nameofgroup,ou=groups,dc=example,dc=com"]

}

This goes in the ldap_config.py file.  The name of the group in the Django admin page will be "nameofgroup".

I have the config as above,

# Define special user types using groups. Exercise great caution when assigning superuser status.

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "is_GroupInDjango": "CN=CompanyWorkers,OU=Global_Groups,ou=company,dc=domain,dc=local",

    "is_active": "CN=CompanyWorkers,OU=Global_Groups,ou=company,dc=domain,dc=local",

    "is_staff": "CN=Netbox-Staff,OU=Global_Groups,ou=company,dc=domain,dc=local",

    "is_superuser": "CN=Netbox-Superuser,OU=Global_Groups,ou=company,dc=domain,dc=local"

}

# For more granular permissions, we can map LDAP groups to Django groups.

AUTH_LDAP_FIND_GROUP_PERMS = True

AUTH_LDAP_ALWAYS_UPDATE_USER = True

# Cache groups for one hour to reduce LDAP traffic

AUTH_LDAP_CACHE_GROUPS = True

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

LDAP Logging:

cn=antti hurme,ou=kayttajat,ou=company,dc=domain,dc=local is a member of cn=CompanyWorkers,ou=global_groupsou=company,dc=domain,dc=local

Populating Django user ahurme

cn=antti hurme,ou=kayttajat,ou=company,dc=domain,dc=local is a member of cn=netbox-superuser,ou=global_groups,ou=company,dc=domain,dc=local

cn=antti hurme,ou=kayttajat,ou=company,dc=domain,dc=local is a member of cn=netbox-staff,ou=global_groups,ou=company,dc=domain,dc=local

cn=antti hurme,ou=kayttajat,ou=company,dc=domain,dc=local is a member of cn=CompanyWorkers,ou=global_groups,ou=company,dc=domain,dc=local

cn=antti hurme,ou=kayttajat,ou=company,dc=domain,dc=local is a member of cn=CompanyWorkers,ou=global_groups,ou=company,dc=domain,dc=local

I'm still not added to the GroupInDjango.

[Antti Hurme]

Figured this out. To get django groups and ldap groups to match, you need to use http://django-auth-ldap.readthedocs.io/en/1.2.x/reference.html#auth-ldap-mirror-groups

and set this value to True. Once you restart supervisord to reload config.You get the groups in netbox and can assign them permissions. The user will also be assigned to appropriate groups. Do note that if you need some groups, just add them to AUTH_LDAP_MIRROR_GROUPS_EXCEPT.

[Tomas Maggio]

Thank you!

[Dave Noonan]

It would be really nice if we had a wiki where the community could save solutions and tips for others.

On Wed, Oct 25, 2017 at 1:43 AM, Antti Hurme <zimeo...@gmail.com> wrote:

Figured this out. To get django groups and ldap groups to match, you need to use http://django-auth-ldap.readthedocs.io/en/1.2.x/reference.html#auth-ldap-mirror-groups

and set this value to True. Once you restart supervisord to reload config.You get the groups in netbox and can assign them permissions. The user will also be assigned to appropriate groups. Do note that if you need some groups, just add them to AUTH_LDAP_MIRROR_GROUPS_EXCEPT.

--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to netbox-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/b294d0e5-7504-4339-ab6a-2414ab6b81bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[LdapUser]

Ldapsearch to find out my group name