This section is optional. I will be adding my WinAD controllers for authentication.
apt install -y libldap2-dev libsasl2-dev libssl-devActivate the Python virtual environment and install the django-auth-ldap package using pip.
source /opt/netbox/venv/bin/activate
pip3 install django-auth-ldapAdd the django-auth-ldap package to /opt/netbox/local_requirements.txt to ensure it is re-installed during future rebuilds of the environment.
sh -c "echo 'django-auth-ldap' >> /opt/netbox/local_requirements.txt"Enable the LDAP authentication backend in configuration.py.
vim /opt/netbox/netbox/netbox/configuration.pyChange the indicated lines:
.....
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
.....Create a new file in the same directory as the latter config file called ldap_config.py.
vim /opt/netbox/netbox/netbox/ldap_config.pyThe remaining configuration parameters will be set in this file.
#---------------------------------------
##### General Server Configuration #####
#---------------------------------------
import ldap
# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://ad1.example.com:636 ldaps://ad2.example.com:636"
# The following may be needed if you are binding to Active Directory.
#AUTH_LDAP_CONNECTION_OPTIONS = {
# ldap.OPT_REFERRALS: 0
#}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=bind.user,CN=Users,DC=example,DC=com"
AUTH_LDAP_BIND_PASSWORD = "***************"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
#------------------------------
##### User Authentication #####
#------------------------------
from django_auth_ldap.config import LDAPSearch
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"CN=Users,DC=example,DC=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)"
)
# If a user's DN is producible from their username, we don't need to search.
#AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,CN=Users,DC=example,DC=com"
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
#--------------------------------------
##### User Groups for Permissions #####
#--------------------------------------
#from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("CN=Users,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(objectClass=group)")
#AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=Netbox_Users,CN=Users,DC=example,DC=com"
# Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = True
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "CN=Netbox_Users,CN=Users,DC=example,DC=com",
"is_staff": "CN=Netbox_Admins,CN=Users,DC=example,DC=com",
"is_superuser": "CN=Netbox_Admins,CN=Users,DC=example,DC=com"
}
# For more granular permissions, we can map LDAP groups to Django groups.
#AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
#AUTH_LDAP_CACHE_TIMEOUT = 3600