__netbox: support basic LDAP group mapping
This commit is contained in:
parent
ab2c826cc3
commit
ef7a214dae
3 changed files with 55 additions and 6 deletions
|
@ -6,7 +6,7 @@ cat << EOF
|
||||||
##############################
|
##############################
|
||||||
|
|
||||||
import ldap
|
import ldap
|
||||||
from django_auth_ldap.config import LDAPSearch
|
from django_auth_ldap.config import LDAPSearch, PosixGroupType
|
||||||
|
|
||||||
# Server URI
|
# Server URI
|
||||||
AUTH_LDAP_SERVER_URI = "$LDAP_SERVER"
|
AUTH_LDAP_SERVER_URI = "$LDAP_SERVER"
|
||||||
|
@ -15,8 +15,10 @@ AUTH_LDAP_SERVER_URI = "$LDAP_SERVER"
|
||||||
AUTH_LDAP_BIND_DN = "$LDAP_BIND_DN"
|
AUTH_LDAP_BIND_DN = "$LDAP_BIND_DN"
|
||||||
AUTH_LDAP_BIND_PASSWORD = "$LDAP_BIND_PASSWORD"
|
AUTH_LDAP_BIND_PASSWORD = "$LDAP_BIND_PASSWORD"
|
||||||
|
|
||||||
# If a user's DN is producible from their username, we don't need to search.
|
# Search for user entry.
|
||||||
AUTH_LDAP_USER_DN_TEMPLATE = "$LDAP_USER_DN_TEMPLATE"
|
AUTH_LDAP_USER_SEARCH = LDAPSearch("$LDAP_USER_BASE",
|
||||||
|
ldap.SCOPE_SUBTREE,
|
||||||
|
"(uid=%(user)s)")
|
||||||
|
|
||||||
# You can map user attributes to Django attributes as so.
|
# You can map user attributes to Django attributes as so.
|
||||||
AUTH_LDAP_USER_ATTR_MAP = {
|
AUTH_LDAP_USER_ATTR_MAP = {
|
||||||
|
@ -25,3 +27,35 @@ AUTH_LDAP_USER_ATTR_MAP = {
|
||||||
"email": "mail"
|
"email": "mail"
|
||||||
}
|
}
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
if [ "$LDAP_GROUP_BASE" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
|
||||||
|
# hierarchy.
|
||||||
|
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("$LDAP_GROUP_BASE", ldap.SCOPE_SUBTREE,
|
||||||
|
"(objectClass=posixGroup)")
|
||||||
|
AUTH_LDAP_GROUP_TYPE = PosixGroupType()
|
||||||
|
|
||||||
|
# Mirror LDAP group assignments.
|
||||||
|
AUTH_LDAP_MIRROR_GROUPS = True
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "$LDAP_REQUIRE_GROUP" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
# Define a group required to login.
|
||||||
|
AUTH_LDAP_REQUIRE_GROUP = "$LDAP_REQUIRE_GROUP"
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$LDAP_SUPERUSER_GROUP" != "" ]; then
|
||||||
|
cat << EOF
|
||||||
|
|
||||||
|
# Define special user types using groups. Exercise great caution when assigning superuser status.
|
||||||
|
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
||||||
|
"is_superuser": "$LDAP_SUPERUSER_GROUP",
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
|
@ -40,8 +40,20 @@ if [ -f "$__object/parameter/ldap-bind-password" ]; then
|
||||||
export LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
|
export LDAP_BIND_PASSWORD=$(cat "$__object/parameter/ldap-bind-password")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$__object/parameter/ldap-user-dn-template" ]; then
|
if [ -f "$__object/parameter/ldap-user-base" ]; then
|
||||||
export LDAP_USER_DN_TEMPLATE=$(cat "$__object/parameter/ldap-user-dn-template")
|
export LDAP_USER_BASE=$(cat "$__object/parameter/ldap-user-base")
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/ldap-group-base" ]; then
|
||||||
|
export LDAP_GROUP_BASE=$(cat "$__object/parameter/ldap-group-base")
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/ldap-require-group" ]; then
|
||||||
|
export LDAP_REQUIRE_GROUP=$(cat "$__object/parameter/ldap-require-group")
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f "$__object/parameter/ldap-superuser-group" ]; then
|
||||||
|
export LDAP_SUPERUSER_GROUP=$(cat "$__object/parameter/ldap-superuser-group")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create system user used to run netbox.
|
# Create system user used to run netbox.
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
ldap-server
|
ldap-server
|
||||||
ldap-bind-dn
|
ldap-bind-dn
|
||||||
ldap-bind-password
|
ldap-bind-password
|
||||||
ldap-user-dn-template
|
ldap-user-base
|
||||||
|
ldap-group-base
|
||||||
|
ldap-require-group
|
||||||
|
ldap-superuser-group
|
||||||
|
|
Loading…
Reference in a new issue