Ldap authentication issue for Netbox

927 views
Skip to first unread message

brian town

unread,
Apr 17, 2019, 11:51:02 AM4/17/19
to NetBox

Trying to get ldap to work on my Netbox install. Followed a few guides but keep getting errors. Have the following config:


import ldap
import logging, logging.handlers
logfile = "/opt/netbox/logs/django-ldap-debug.log"
my_logger = logging.getLogger('django_auth_ldap')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.RotatingFileHandler(
logfile, maxBytes=1024 * 500, backupCount=5)
my_logger.addHandler(handler)


# Server URI
AUTH_LDAP_SERVER_URI = "ldap://ad.example.com"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}

# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=bindguy, OU=Users,DC=example,DC=com"
AUTH_LDAP_BIND_PASSWORD = "demo"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True


from django_auth_ldap.config import LDAPSearch

# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Admins,ou=Test,dc=example,dc=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")

# If a user's DN is producible from their username, we don't need to search.
#AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}

from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=example,dc=com", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

# Define a group required to login.
#AUTH_LDAP_REQUIRE_GROUP = "CN=NETBOX_USERS,DC=example,DC=com"
# Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = True
# Define special user types using groups. Exercise great caution when assigning superuser status.
#AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#"is_active": "cn=active,ou=groups,dc=example,dc=com",
#"is_staff": "cn=staff,ou=groups,dc=example,dc=com",
#"is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"
#}

# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600


I keep getting the following error after I restart netbox


"Caught Ldaperror while authenticating testguy: INVALID_CREDENTIALS({'desc': 'Invalid Credentials', 'info': '80090308: LdapErr: DSID-0c09042A, comment: AcceptSecurityContext error, data 52e, v3839'},)


Credentials are not invalid, reset the password just in case for testing. Able to login just fine via any other system tied to AD server...

brian town

unread,
Apr 17, 2019, 12:39:27 PM4/17/19
to NetBox
So figured out my main issue, using OUs in place of CNs  in my lookups, soon as I changed that out it seemed to work fine...helps to have had some coffee apparently.

Mark Garcia

unread,
Apr 17, 2019, 1:26:57 PM4/17/19
to NetBox
Could you post the changes you made? Maybe a side by side comparison.

I think I understand what you're saying but wanted to be certain since it may be my issue also.

Thanks
Mark

Reply all
Reply to author
Forward
0 new messages