NetBox (2.11.4) and Active Directory Integration - Step by Step
Join me in a quick video where I enable Active Directory authentication with my demo NetBox server. We'll be walking through, step by step, following the official instructions to pass credentials tied to my demo.test domain controller. At the end I'll add in some steps you can take for troubleshooting. I don't go into great depth on the troubleshooting process, but hopefully enough to give you a flavor for how it works.
Also, if you listen carefully you may hear my wife quietly in the background. That's something for me to watch out for in the future. The sound proofing isn't perfect!
0:00 Introduction
1:10 First Steps, installing dependencies, and more
4:46 Editing the NetBox configuration file
6:48 Walking through the ldap configuration options
11:40 Creating the ldap configuration file and making it live
12:45 Testing the integration with Dwight and Jim
15:15 Time to look at troubleshooting
16:00 Peek into the domain controller
16:55 Configuring NetBox for authentication debugging
18:38 Activating and testing the debug config
19:37 Examining the debug output with Michael
20:30 Tinkering with Michael's account
22:10 Wrapping up with a brief cameo from Wireshark
############ ldap config start ###############
import ldap
Server URI
AUTH_LDAP_SERVER_URI = "ldap://192.168.86.86"
The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=Netbox Bind Account,OU=Service Accounts,DC=demo,DC=test"
AUTH_LDAP_BIND_PASSWORD = "MySup3rS3cr3tP@ssw0rd"
Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
Note that this is a NetBox-specific setting which sets:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
from django_auth_ldap.config import LDAPSearch
This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("DC=demo,DC=test",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
If a user's DN is producible from their username, we don't need to search.
#AUTH_LDAP_USER_DN_TEMPLATE = "UID=%(user)s,OU=Demo Objects,DC=demo,DC=test"
You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType
This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
hierarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("DC=demo,DC=test", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()
Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = "CN=Netbox Active,OU=Demo Objects,DC=demo,DC=test"
Mirror LDAP group assignments.
AUTH_LDAP_MIRROR_GROUPS = True
Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "CN=Netbox Active,OU=Demo Objects,DC=demo,DC=test",
"is_staff": "CN=Netbox Staff,OU=Demo Objects,DC=demo,DC=test",
"is_superuser": "CN=Netbox Superuser,OU=Demo Objects,DC=demo,DC=test"
}
For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_TIMEOUT = 3600
############ ldap config stop ###############
########### debug config start ##############
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'netbox_auth_log': {
'level': 'DEBUG',
'class': 'logging.handlers.RotatingFileHandler',
'filename': '/opt/netbox/logs/django-ldap-debug.log',
'maxBytes': 1024 * 500,
'backupCount': 5,
},
},
'loggers': {
'django_auth_ldap': {
'handlers': ['netbox_auth_log'],
'level': 'DEBUG',
},
},
}
########### debug config stop ##############