Skip to content

Latest commit

 

History

History
149 lines (106 loc) · 4.01 KB

netbox.md

File metadata and controls

149 lines (106 loc) · 4.01 KB

Configuration for Netbox

Netbox LDAP configuration is located here

Prerequisites

  1. Install requirements

    Debian/Ubuntu: sudo apt install -y libldap2-dev libsasl2-dev libssl-dev

    CentOS: sudo yum install -y openldap-devel python3-devel

  2. Install django-auth-ldap

    source /opt/netbox/venv/bin/activatepip3 install django-auth-ldap

  3. Add package to local requirements

    sudo sh -c "echo 'django-auth-ldap' >> /opt/netbox/local_requirements.txt"

  4. Enable LDAP backend in configuration.py (default: /opt/netbox/netbox/netbox/configuration.py)

    REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'

LDAP Configuration

  1. Create ldap_config.py file

    touch /opt/netbox/netbox/netbox/ldap_config.py

  2. Copy and modify the configuration below

import ldap
from django_auth_ldap.config import LDAPSearch, NestedGroupOfNamesType

# Server URI
AUTH_LDAP_SERVER_URI = "ldaps://lldap.example.com:6360"

# Connection options, if necessary
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_REFERRALS: 0  # Disable referral chasing if not needed
}

# Bind DN and password for the service account
AUTH_LDAP_BIND_DN = "uid=admin,ou=people,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "ChangeMe!"

# Ignore certificate errors (for self-signed certificates)
LDAP_IGNORE_CERT_ERRORS = False  # Only use in development or testing!

# Include this setting if you want to validate the LDAP server certificates against a CA certificate directory on your server
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, LDAP_CA_CERT_DIR)
LDAP_CA_CERT_DIR = '/etc/ssl/certs'

# Include this setting if you want to validate the LDAP server certificates against your own CA.
# Note that this is a NetBox-specific setting which sets:
#     ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT_FILE)
LDAP_CA_CERT_FILE = '/path/to/example-CA.crt'

# User search configuration
AUTH_LDAP_USER_SEARCH = LDAPSearch(
    "ou=people,dc=example,dc=com",
    ldap.SCOPE_SUBTREE,
    "(uid=%(user)s)"
)

# User DN template
AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=people,dc=example,dc=com"

# Map LDAP attributes to Django user attributes
AUTH_LDAP_USER_ATTR_MAP = {
    "username": "uid",
    "email": "mail",
    "first_name": "givenName",
    "last_name": "sn",
}

# Group search configuration
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    "ou=groups,dc=example,dc=com",
    ldap.SCOPE_SUBTREE,
    "(objectClass=group)"
)
AUTH_LDAP_GROUP_TYPE = NestedGroupOfNamesType()

# Require users to be in a specific group to log in
AUTH_LDAP_REQUIRE_GROUP = "cn=netbox_users,ou=groups,dc=example,dc=com"

# Mirror LDAP group assignments
AUTH_LDAP_MIRROR_GROUPS = True

# Map LDAP groups to Django user flags
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_superuser": "cn=netbox_admins,ou=groups,dc=example,dc=com"
}

# Find group permissions
AUTH_LDAP_FIND_GROUP_PERMS = True

# Cache group memberships to reduce LDAP traffic
AUTH_LDAP_CACHE_TIMEOUT = 3600

# Always update user information from LDAP on login
AUTH_LDAP_ALWAYS_UPDATE_USER = True
  1. Restart netbox and netbox-rq

    sudo systemctl restart netbox netbox-rq

Troubleshoot LDAP

  1. Make logging directory

    sudo mkdir -p /opt/netbox/local/logs/

  2. Make log file

    sudo touch /opt/netbox/local/logs/django-ldap-debug.log

  3. Set permissions

    sudo chown -R netbox:root /opt/netbox/local

  4. Add the following to /opt/netbox/netbox/netbox/configuration.py

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'handlers': {
        'netbox_auth_log': {
            'level': 'DEBUG',
            'class': 'logging.handlers.RotatingFileHandler',
            'filename': '/opt/netbox/local/logs/django-ldap-debug.log',
            'maxBytes': 1024 * 500,
            'backupCount': 5,
        },
    },
    'loggers': {
        'django_auth_ldap': {
            'handlers': ['netbox_auth_log'],
            'level': 'DEBUG',
        },
    },
}