FreeIPA LDAP auth

[Andrew Meyer]

I am trying to set auth to my FreeIPA server.  But running into an issue where EVERY login is rejected.  I'm trying to compare other applications I have successfully gotten to work with FreeIPA such AWX and what I need to change in order to make this work.  However it is not working so well.

Here is my config:

import ldap

# Server URI

AUTH_LDAP_BASE = 'cn=accounts,dc=satellite5,dc=us'

AUTH_LDAP_BASE_DN = "dc=satellite5,dc=us"

AUTH_LDAP_SERVER_URI = "ldaps://freeipa01.satellite5.us"

# The following may be needed if you are binding to Active Directory.

AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_REFERRALS: 0 }

# Set the DN and password for the NetBox service account.

#AUTH_LDAP_BIND_DN = "uid=admnetbox,cn=ipausers,cn=accounts,dc=satellite5,dc=us"

#AUTH_LDAP_BIND_PASSWORD = REMOVED

AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True

AUTH_LDAP_USER_BASE = 'cn=netbox_users,' + AUTH_LDAP_BASE

# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.

# Note that this is a NetBox-specific setting which sets:

#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

LDAP_IGNORE_CERT_ERRORS = True

AUTH_LDAP_START_TLS = False

from django_auth_ldap.config import LDAPSearch

# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's

# username is not in their DN (Active Directory).

AUTH_LDAP_USER_SEARCH = LDAPSearch("cn=netbox_users,cn=groups,dc=satellite5,dc=us",

                                    ldap.SCOPE_SUBTREE,

                                    "(&(objectClass=user)(uid=%(user)s))")

# If a user's DN is producible from their username, we don't need to search.

AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,cn=netbox_users,cn=accounts,dc=satellite5,dc=us"

# You can map user attributes to Django attributes as so.

AUTH_LDAP_USER_ATTR_MAP = {

    "first_name": "givenName",

    "last_name": "sn",

    "email": "mail"

}

from django_auth_ldap.config import LDAPSearch, GroupOfNamesType

# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group

# hierarchy.

AUTH_LDAP_GROUP_FILTER = "(&(objectClass=group)(member=%(user)s))"

AUTH_LDAP_GROUP_SEARCH = LDAPSearch("cn=netbox_users,cn=groups,cn=accounts,dc=satellite5,dc=us", ldap.SCOPE_SUBTREE,

                                    "(objectClass=groupOfNames)")

AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")

AUTH_LDAP_GROUP_BASE = "cn=groups," + AUTH_LDAP_BASE

# Define a group required to login.

AUTH_LDAP_REQUIRE_GROUP = "cn=netbox_users,cn=groups,cn=accounts,dc=satellite5,dc=us"

# Mirror LDAP group assignments.

AUTH_LDAP_MIRROR_GROUPS = True

# Define special user types using groups. Exercise great caution when assigning superuser status.

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    "is_active": "cn=netbox_users,cn=groups,cn=accounts,dc=satellite5,dc=us",

    "is_staff": "cn=users,cn=groups,cn=accounts,dc=satellite5,dc=us",

    "is_superuser": "cn=admins,cn=groups,cn=accounts,dc=satellite5,dc=us"

}

# For more granular permissions, we can map LDAP groups to Django groups.

AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache groups for one hour to reduce LDAP traffic

AUTH_LDAP_CACHE_TIMEOUT = 3600

[Andrew Meyer]

Also how much of a hassle would it be add this as a backend - https://pypi.org/project/django-freeipa-auth/  ????

[Scrounger117]

Andrew,

I initially struggled to get this working; however, this is the config that I created and have been using since Netbox 2.8 (Now I'm on 3.0.11) and FreeIPA 4.9.4 

####################################################################################

# This Python is required by django_auth_ldap to enable LDAP for NetBox.           #

# Reference Doc: https://netbox.readthedocs.io/en/stable/installation/5-ldap/      #

####################################################################################

####################################################################################

### Imported Python Modules                                                      ###

####################################################################################

import ldap

import logging, logging.handlers

from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, NestedGroupOfNamesType

####################################################################################

### Netbox LDAP - General Settings                                               ###

####################################################################################

# Server URI

AUTH_LDAP_SERVER_URI = 'ldaps://ldapserver01, ldaps://ldapserver02'

# Define ldap_config template variables (Not natively used by django-auth-ldap)

AUTH_LDAP_BASE = 'cn=accounts,dc=example,dc=com'

AUTH_LDAP_USER_BASE = 'cn=users,' + AUTH_LDAP_BASE

AUTH_LDAP_GROUP_BASE = "cn=groups," + AUTH_LDAP_BASE

####################################################################################

### Netbox LDAP - User Authentication Config                                     ###

####################################################################################

# Instead of a BIND Search Account, using authenticated user to search

AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True

 

# If a user's DN is producible from their username, we don't need to search.

AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s," + AUTH_LDAP_USER_BASE

# You can map user attributes to Django attributes as so.

AUTH_LDAP_USER_ATTR_MAP = {

    "first_name": "givenName",

    "last_name": "sn",

    "email": "mail"

}

####################################################################################

### Netbox LDAP - User Groups Config                                             ###

####################################################################################

# Set up the basic group parameters.

AUTH_LDAP_GROUP_FILTER = "(objectClass=groupOfNames)"

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(AUTH_LDAP_GROUP_BASE,ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_FILTER)

AUTH_LDAP_GROUP_TYPE = GroupOfNamesType(name_attr="cn")

# Define a group required to login.

AUTH_LDAP_REQUIRE_GROUP = "cn=netboxusers," + AUTH_LDAP_GROUP_BASE

# Mirror LDAP group assignments.

AUTH_LDAP_MIRROR_GROUPS = True

# Map flags, 'is_staff' is required for access to ADMIN pages

AUTH_LDAP_USER_FLAGS_BY_GROUP = {

    'is_staff': 'cn=netboxstaff,' + AUTH_LDAP_GROUP_BASE,

    'is_superuser': 'cn=netboxsuperuser,' + AUTH_LDAP_GROUP_BASE,

}

# For more granular permissions, we can map LDAP groups to Django groups.

AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache groups for one hour to reduce LDAP traffic

AUTH_LDAP_CACHE_GROUPS = True

AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

####################################################################################

### Netbox SSL Certificate Error Handling                                        ###

####################################################################################

# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.

# Note that this is a NetBox-specific setting which sets:

#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

LDAP_IGNORE_CERT_ERRORS = True

####################################################################################

### Netbox LDAP - Logging for LDAP Errors                                        ###

####################################################################################

# Configure Logging - Directory and File Permissions MUST BE 'netbox' user

logfile = "/opt/netbox/logs/django-ldap-debug.log"

my_logger = logging.getLogger('django_auth_ldap')

my_logger.setLevel(logging.DEBUG)

handler = logging.handlers.RotatingFileHandler(

   logfile, maxBytes=1024 * 500, backupCount=5)

my_logger.addHandler(handler)