So I am unable to authenticate any users via LDAP. I tried both raw username and with domain attached to see if either work. People mentioned "nested groups" possibly being a problem, but I think that would fail on group mapping, we are getting a raw DN/Password rejection here, so we arent even getting that far.
There is not a lot of help for this in the NetBox or Djago LDAP documentation.
Authentication failed for XXXXXXXXXX: user DN/password rejected by LDAP server.
Authentication failed for XXXXX...@YYYYY.com: user DN/password rejected by LDAP server.
Here is my current LDAP config.
import ldap
import logging, logging.handlers
logfile = "/data/netbox/logs/django-ldap-debug.log"
my_logger = logging.getLogger('django_auth_ldap')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.RotatingFileHandler(
logfile, maxBytes=1024 * 500, backupCount=5
)
my_logger.addHandler(handler)
AUTH_LDAP_SERVER_URI = "ldap://
ldap.xxxxxxxxxxxxxxxx.com"
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
AUTH_LDAP_BIND_DN = "CN=netbox-sa,OU=Service Accounts,DC=xxxxxxxxxxxxxx,DC=com"
AUTH_LDAP_BIND_PASSWORD = "xxxxxxxxxxxxxxxxxxxxx"
LDAP_IGNORE_CERT_ERRORS = True
from django_auth_ldap.config import LDAPSearch
AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=Privileged.Users,OU=Delegated.Access,DC=xxxxxxxxxxxxx,DC=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=xxxxxxxxxxxxxx,dc=com", ldap.SCOPE_SUBTREE,"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
AUTH_LDAP_REQUIRE_GROUP = "CN=netbox-admin,OU=xxxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxx,DC=com"
# Mirror LDAP group assignments.
# AUTH_LDAP_MIRROR_GROUPS = True
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "cn=CN=netbox-user,OU=xxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxxxxxx,DC=com",
"is_staff": "CN=netbox-user,OU=xxxxxxxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxxxxxxx,DC=com",
"is_superuser": "CN=netbox-admin,OU=xxxxxxxxxxx,OU=Service Accounts,DC=xxxxxxxxxxxxxxxxx,DC=com"
}
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_CACHE_TIMEOUT = 3600
-------------------------------------
From configuration.py
# Remote authentication support
REMOTE_AUTH_ENABLED = True
# REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}