LDAP authentication

[Luc1f3rUK]

This project is looking so good!

I'd love the option for LDAP authentication built in (With permissions etc). I'm sure many others will too.
This would make it more appealing for larger organisations.

Thanks,

[aoyawale]

1+

[troxil]

+1

[MrDragon]

/AOL (me too), please.
Mostly username/password, if need be, access could be set in netbox. Would be awesome, though, if we could say "if member of group X, then they may edit" or some such thing :)

[dinoocch]

If you don't need a gui, django-auth-ldap is not too hard to set up, and provides the features you seem to be looking for.

[grigorov]

+1

[jeremystretch]

Awesome work by @dinoocch! Can we get some folks to test and report back? I'd like to soon as well, just need to figure out our LDAP arrangement internally.

I'd like to avoid having users make any changes to settings.py. All end-user config should be done in configuration.py and copied into Django's settings construct at runtime. This helps cleanly enforce required settings while avoiding errors from typos and whatnot. Given the amount of interest in supporting LDAP authentication, I think it makes sense to bake this into NetBox (along with declaring django-auth-ldap as a required dependency. Thoughts?

[MrDragon]

+1 Beer for @dinoocch - works against our Winblows AD server. I'll have to play more with group-and-or combinations because our AD structure is ahem "unique".

• to install, can python-django-auth-ldap be used (1.1.8-1 on Ubuntu), or does it need to be "pip...", which is a newer version?
• in the documentation, perhaps a hint for people like me (who don't really know python/django, but can read code and muck around), that the ldap logs can be found in /var/log/supervisor/netbox... ?

I'd love to see this in netbox!

[dinoocch]

@MrDragon - Glad to be of assistance,

• The ubuntu package is probably fine (The most recent version is 1.2.8, and I'd recommend using the latest stable version from pip if that is possible however)
• The logging code will tie add the ldap logs to the django logger. See Django Docs By configuring the Django logger, you can redirect the logs to anywhere you like!

I'm working on a commit to add the settings to configuration.py, I'm trying to figure out the best structure for this, however...

[Zanthras]

I can confirm running ldap auth as described against a FreeIPA auth server.

[jeremystretch]

#203 has been merged, but altered a good deal to avoid having users modify settings.py directly. The documentation has been moved to installation/ldap.md. It would be awesome if we could get a few people to try the new directions on a fresh install and report back with any issues.

[MrDragon]

Remember, I'm just an awful hack who's weak on AD/LDAP and worse on python, but:

• would it make sense to add "email": "mail" to AUTH_LDAP_USER_ATTR_MAP ?
• As we have groups in groups, esp. for the 'required group' (p.ex. staff, readers, admins, in group "netbox-access"), would it make more sense to use AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()? I think it still works if you have individual users in the "netbox-access" group. (Which also means you may need from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType)

[jeremystretch]

Basic LDAP support has been implemented in the v1.2.0 release. I'm going to mark this issue closed, but I encourage people to open new issues for any specific LDAP changes they'd like to see.

[SignalDistress]

I don't know if its at all helpful but for anyone else that Django LDAP is completely new for, you just add users with the same user as AD and then some dummy password. If your LDAP is setup correctly then you'll just log in with your LDAP username and password. It worked on the first time for me which was great.

If I'm dropping this comment in the wrong place just lemme know. Happy to help with any docs.