LDAP Setup - Anyone getting it working based on the doc?

[Josh VanDeraa]

Hi all-

First what a terrific system that is going here. I'm very impressed and am actively using it.

The only thing that I have outstanding is getting Netbox integrated with our Active Directory using LDAP authentication. The AD system I believe is pretty straight forward from what I have discussed with the team that runs our AD. Using the information on the readthedocs page on getting LDAP working we are unable to get it working. Any tips out there on what else to look at? I do see the packets leaving and responses coming back from a tcpdump perspective. But the logging is not the best from what I see in the AD logs to tell me what is going on within AD.

Thanks in advance for any help.

Josh

[Frank Mogaddedi]

Josh,

 

I’ve messed around with it and it works for us. We’re using ldap:// and not ldaps://, though

 

Here’s an excerpt of my ldap_config.py (IPs/users/passwords have been changed to protect the more-or-less innocent):

 

AUTH_LDAP_SERVER_URI = "ldap://192.168.10.100"

 

AUTH_LDAP_CONNECTION_OPTIONS = {

    ldap.OPT_REFERRALS: 0

}

 

AUTH_LDAP_BIND_DN = "CN=bindaccount,OU=ServiceAccounts,OU=Global,DC=corp,DC=local"

AUTH_LDAP_BIND_PASSWORD = "VerySecure"

 

LDAP_IGNORE_CERT_ERRORS = True

 

from django_auth_ldap.config import LDAPSearch

 

AUTH_LDAP_USER_SEARCH = LDAPSearch("OU=Wherever,DC=corp,DC=local",

                                    ldap.SCOPE_SUBTREE,

                                    "(sAMAccountName=%(user)s)")

 

# You can map user attributes to Django attributes as so.

AUTH_LDAP_USER_ATTR_MAP = {

    "first_name": "givenName",

    "last_name": "sn",

    "email": "mail"

}

 

 

from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, NestedGroupOfNamesType     # I Probably added the ‘Nested…’

 

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("DC=corp,DC=local", ldap.SCOPE_SUBTREE,

                                    "(objectClass=group)")

 

# AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()

AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()  ### I changed this

 

# Define a group required to login

AUTH_LDAP_REQUIRE_GROUP = "CN=NetworkAdmins,OU=Groups,OU=Global,DC=corp,DC=local"

 

# Define special user types using groups. Exercise great caution when assigning superuser status.

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "is_active":    "cn=Network-Staff,ou=Groups,ou=Global,dc=corp,dc=local",

    "is_staff":     "cn=Network-Staff,ou=Groups,ou=Global,dc=corp,dc=local",

    "is_superuser": "cn=Network-SU,ou=Groups,ou=Global,dc=corp,dc=local"

}

 

AUTH_LDAP_FIND_GROUP_PERMS = True

AUTH_LDAP_CACHE_GROUPS = True

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

 

I commented out the following

### # Don't check the ldap server's certificate as much

### ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)

###

### # Don't check the cert at all

### ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

 

 

I hope that helps a little,

 

            Frank

--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discus...@googlegroups.com.
To post to this group, send email to netbox-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/762c7bd9-70ee-4827-9c81-0c0dd61ebf15%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[gstuff...@gmail.com]

Here is ours using LDAPS.  A few notes:

• It would be nice to point to ldaps://domain.com rather than to a specific DC but the cert name has to match the request so point to a specific DC
• We require users to be in a group to log in (AUTH_LDAP_REQUIRE_GROUP).  You may/may not want that.
• You must make the underlying system (CENTOS, Ubuntu, etc) trust the presented certificate.  We did that by trusting our internal CA as a root authority.

import ldap

AUTH_LDAP_SERVER_URI = "ldaps://domaincontroller1.domain.com"

AUTH_LDAP_CONNECTION_OPTIONS = {

    ldap.OPT_REFERRALS: 0

}

AUTH_LDAP_BIND_DN = "cn=NetBox,ou=Users,ou=Sample,dc=domain,dc=com"

AUTH_LDAP_BIND_PASSWORD = "CLEARtextPASSWORD!!!!"

LDAP_IGNORE_CERT_ERRORS = False

from django_auth_ldap.config import LDAPSearch

AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=domain,dc=com",

                                    ldap.SCOPE_SUBTREE,

                                    "(sAMAccountName=%(user)s)")

AUTH_LDAP_USER_ATTR_MAP = {

    "first_name": "givenName",

    "last_name": "sn"

}

from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=domain,dc=com", ldap.SCOPE_SUBTREE,

                                    "(objectClass=group)")

AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()

AUTH_LDAP_REQUIRE_GROUP = "cn=NetBox_Users,ou=Groups,ou=Sample,dc=domain,dc=com"

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "Write": "cn=NetBox_Users,ou=Groups,ou=Sample,dc=domain,dc=com",

}

AUTH_LDAP_FIND_GROUP_PERMS = True

AUTH_LDAP_CACHE_GROUPS = True

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

[gstuff...@gmail.com]

One more thing:

LDAP_IGNORE_CERT_ERRORS = True is bad.  It make it easy as you don't have to get the underlying system to validate the certificate properly but it means you are open to man in the middle attacks as you'll take any presented certificate as acceptable.

[Josh VanDeraa]

Thanks for the posts! I had a little bit of time between attempting to get this working and the posts have helped. I moved the LDAP search further up the domain tree. 

--

You received this message because you are subscribed to the Google Groups "NetBox" group.

To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to netbox-discuss@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/0225edf5-41ce-45fa-bce6-35573bf2a4f9%40googlegroups.com.