LDAP Documentation Enhancement

[iamdadmin]

Referring to http://netbox.readthedocs.io/en/latest/installation/ldap/ the following section needs a little more explanation for people who come in cold and have no basis for what the group mappings mean.

User Groups for Permissions

"is_active" - you must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in.

"is_staff" - users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis.

"is_superuser" - users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions.

Some more notes, specific to Windows Server Active Directory.

The following option should be set to None when using Windows Server 2012.

AUTH_LDAP_USER_DN_TEMPLATE = None

When using Windows Server 2012 you may also need to specify a different port on the AUTH_LDAP_SERVER_URI - 3269 for secure, 3268 for non-secure

Server URI

AUTH_LDAP_SERVER_URI = "ldaps://my_server_or_ip:3269"

For this section, it would be good perhaps to link to the appropriate Django article to find a list of attributes. Sure, that's a bit let-me-google-that-for-you but it makes for a better read.

You can map user attributes to Django attributes as so.

AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn"
}

[Mikecom32]

@marvnrawley Thank you for this. I couldn't figure out why my LDAP auth was failing, and changing the AUTH_LDAP_USER_DN_TEMPLATE setting to None fixed the problem (after trying a myriad of other things).

[farewelldave]

I want to add my thanks to these additional notes to help with LDAP setup!

I also wanted to mention that for some reason, it seems that if you are a member of the "is_active" and "is_superuser" groups but not the "is_staff" group, the Django Admin link at top right is not visible.

This was not extensively tested, but Chrome only seemed to show the Admin link if you were a member of "is_staff". Furthermore, if you were in "is_active" and "is_staff" but not in "is_superuser", you were able to see the link, but not actually perform any actions.

It would make sense to me to hide the Admin link, unless the user is a member of the "is_superuser" group.

(if I need to make this into a separate issue, let me know - or mod feel free to move)

[jeremystretch]

Is anyone interested in submitting a PR for this?

[bellwood]

PR made - if you don't like the usage of info blocks for the buffing please feel free to alter @jeremystretch

Thanks for the contribution @marvnrawley =)

[jeremystretch]

Merged #1080