NetBox AD Authentifikation #14501
-
|
Hello everyone, actuelly, I need help. Under NetBox, I try to establish an AD authentification. This shouldn't be so hard, does we thinking befor... NetBox deliver a ldap-ad authentifications example, that I used. Lets me show: import ldap
from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType
# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://ip_address:port"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=NetBoxAdmin,OU=System,OU=Admin,DC=domain,DC=de"
AUTH_LDAP_BIND_PASSWORD = "a secret"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
# Include this setting if you want to validate the LDAP server certificates against a CA certificate directory on your server
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, LDAP_CA_CERT_DIR)
# LDAP_CA_CERT_DIR = '/etc/ssl/certs'
# Include this setting if you want to validate the LDAP server certificates against your own CA.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT_FILE)
# LDAP_CA_CERT_FILE = '/path/to/example-CA.crt'
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"OU=Admin,DC=domäne,DC=de",
ldap.SCOPE_SUBTREE,
"(|(userPrincipalName=%(user)s)(sAMAccountName=%(user)s))"
)
# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = None
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"username": "sAMAccountName",
"email": "mail",
"first_name": "givenName",
"last_name": "sn",
}
AUTH_LDAP_USER_QUERY_FIELD = "username"
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"OU=Human,OU=Admin,DC=domain,DC=de",
ldap.SCOPE_SUBTREE,
"(objectClass=group)"
)
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=NetBox,OU=Human,OU=Admin,DC=domain,DC=de"
# Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = True
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "cn=active,ou=groups,dc=example,dc=com",
"is_staff": "cn=staff,ou=groups,dc=example,dc=com",
"is_superuser": "CN=NetBox,OU=Human,OU=Admin,DC=domain,DC=de"
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTH_LDAP_ALWAYS_UPDATE_USER = TrueThe problem is, if i try to login with one of my accounts, i get this message back.
I have also active the error-log from django_auth_ldap. But it is not much, what i get.
The LDAP Configuration should be all-right, so I have try it with the same accessdata (URI and BIND-Account) to get a ldaps-regrest over "ldapsearch". This have work perfectlly. The NetBox Server, neither the Nginx-Server have a Self-Signed certificate. I use the following versions: NetBox, v.3.6.5 Python, v.3.10.12 Linux, Ubuntu 22.04.4 LTS (Jammy) Does enyone hava an idear, how to solve this? With best regard Alphabeit |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
Is the above configuration a copy of your actual ldap_config.py? If so, an obvious thing you seem to have forgotten is to set AUTH_LDAP_SERVER_URI to something other than an example/placeholder value. |
Beta Was this translation helpful? Give feedback.
-
|
The thing is, I can't place the real address in the forum. The information about the network is our secret and doesn't want to been seen. What you see, is a placeholder. Because this, I also have write, that I tested the URI with the tool "ldapsearch". Sorry, if I can't tell you more about them. |
Beta Was this translation helpful? Give feedback.
-
|
You are most likely experiencing bug #14249. This was broken in v3.6.5 by #14085. A fix has been committed so should be in the next Netbox release. In the mean time, you could try applying the patch in #14456 by hand. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you, I will try it tomorrow. |
Beta Was this translation helpful? Give feedback.
-
|
Hello again, the Bugfix does help a bit? So I appled the patch by hand, and the error message disaper, but I can't either login. NetBox tell me, Username and Password would be wrong, so I would need to control the DistinguishedName, right? I have it - and it looks perfekt. I even coped the DN directly from the AD-User- and Computermanager in the NetBox LDAP Configuration. I even tryed my Account against a another service with ad/dlap binding, it works - just not with NetBox.
So my question, what could I do now? Its something wrong with the ldap_config.py script? With best regards |
Beta Was this translation helpful? Give feedback.
-
So, you tried with your sAMAccountName, right? And it didn't work? |
Beta Was this translation helpful? Give feedback.
-
|
Okay, I don't know why... but after some time... actually, it works! I also print my config here, so that other peopels can see, how a working config looks like. Please notet, I also added the "LDAPSearchUnion" establish a Usersearch of more as one OrganisationUnits. But this does not anything meaning to the ticket here, ist just important to understand about my config. Also see the group premission at the end of the config. I have noticed, that a user with higher premission needs the premission of the lower group. So a "Superuser" needs to be also a "Stuff" and a "Active", if you give someone the "Superuser" but not the "Active", he can't login. This is one of the things that happened me too. Thank you all for your help. With best regards import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion, NestedGroupOfNamesType
# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://ip_address:port"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=NetBoxAdmin,OU=System,OU=Admin,DC=domain,DC=de"
AUTH_LDAP_BIND_PASSWORD = "a secret"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
# Include this setting if you want to validate the LDAP server certificates against a CA certificate directory on your server
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, LDAP_CA_CERT_DIR)
# LDAP_CA_CERT_DIR = '/etc/ssl/certs'
# Include this setting if you want to validate the LDAP server certificates against your own CA.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT_FILE)
# LDAP_CA_CERT_FILE = '/path/to/example-CA.crt'
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearchUnion(
LDAPSearch("OU=User,DC=domäne,DC=de", ldap.SCOPE_SUBTREE, "(|(userPrincipalName=%(user)s)(sAMAccountName=%(user)s))"),
LDAPSearch("OU=Admin,DC=domäne,DC=de", ldap.SCOPE_SUBTREE, "(|(userPrincipalName=%(user)s)(sAMAccountName=%(user)s))"),
)
# If a user's DN is producible from their username, we don't need to search.
AUTH_LDAP_USER_DN_TEMPLATE = None
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"username": "sAMAccountName",
"email": "mail",
"first_name": "givenName",
"last_name": "sn",
}
AUTH_LDAP_USER_QUERY_FIELD = "username"
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"OU=ADMGroups,OU=BRHAdmin,DC=brh,DC=ivbb,DC=bund,DC=de",
ldap.SCOPE_SUBTREE,
"(objectClass=group)"
)
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=NetBox,OU=Human,OU=Admin,DC=domain,DC=de"
# Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = True
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "CN=NetBox,OU=Human,OU=Admin,DC=domain,DC=de,
"is_staff": "CN=NetBox,OU=Human,OU=Admin,DC=domain,DC=de,
"is_superuser": "CN=NetBox,OU=Human,OU=Admin,DC=domain,DC=dee"
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_TIMEOUT = 3600
AUTH_LDAP_ALWAYS_UPDATE_USER = True |
Beta Was this translation helpful? Give feedback.
You are most likely experiencing bug #14249. This was broken in v3.6.5 by #14085.
A fix has been committed so should be in the next Netbox release. In the mean time, you could try applying the patch in #14456 by hand.