2019-05-01 00:55:44 +02:00
|
|
|
|
from importlib import import_module
|
2020-10-18 02:38:06 +02:00
|
|
|
|
from os import environ
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
2021-02-08 11:59:33 +01:00
|
|
|
|
import ldap
|
|
|
|
|
from django_auth_ldap.config import LDAPSearch
|
|
|
|
|
|
|
|
|
|
|
2019-04-30 23:24:22 +02:00
|
|
|
|
# Read secret from file
|
2020-10-18 02:38:06 +02:00
|
|
|
|
def _read_secret(secret_name, default=None):
|
2019-04-30 23:24:22 +02:00
|
|
|
|
try:
|
|
|
|
|
f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8')
|
|
|
|
|
except EnvironmentError:
|
2020-05-13 14:44:41 +02:00
|
|
|
|
return default
|
2019-04-30 23:24:22 +02:00
|
|
|
|
else:
|
|
|
|
|
with f:
|
|
|
|
|
return f.readline().strip()
|
|
|
|
|
|
2019-05-01 00:55:44 +02:00
|
|
|
|
# Import and return the group type based on string name
|
2020-10-18 02:38:06 +02:00
|
|
|
|
def _import_group_type(group_type_name):
|
2019-05-01 00:55:44 +02:00
|
|
|
|
mod = import_module('django_auth_ldap.config')
|
|
|
|
|
try:
|
|
|
|
|
return getattr(mod, group_type_name)()
|
|
|
|
|
except:
|
|
|
|
|
return None
|
|
|
|
|
|
2018-02-22 14:49:38 +01:00
|
|
|
|
# Server URI
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_SERVER_URI = environ.get('AUTH_LDAP_SERVER_URI', '')
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
|
|
|
|
# The following may be needed if you are binding to Active Directory.
|
|
|
|
|
AUTH_LDAP_CONNECTION_OPTIONS = {
|
|
|
|
|
ldap.OPT_REFERRALS: 0
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-09 16:11:21 +02:00
|
|
|
|
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = environ.get('AUTH_LDAP_BIND_AS_AUTHENTICATING_USER', 'False').lower() == 'true'
|
2022-06-20 14:10:37 +02:00
|
|
|
|
|
|
|
|
|
# Set the DN and password for the NetBox service account if needed.
|
|
|
|
|
if not AUTH_LDAP_BIND_AS_AUTHENTICATING_USER:
|
|
|
|
|
AUTH_LDAP_BIND_DN = environ.get('AUTH_LDAP_BIND_DN', '')
|
|
|
|
|
AUTH_LDAP_BIND_PASSWORD = _read_secret('auth_ldap_bind_password', environ.get('AUTH_LDAP_BIND_PASSWORD', ''))
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
2018-07-20 12:24:17 +02:00
|
|
|
|
# Set a string template that describes any user’s distinguished name based on the username.
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_USER_DN_TEMPLATE = environ.get('AUTH_LDAP_USER_DN_TEMPLATE', None)
|
2018-07-11 16:50:02 +02:00
|
|
|
|
|
2020-05-14 16:41:42 +02:00
|
|
|
|
# Enable STARTTLS for ldap authentication.
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_START_TLS = environ.get('AUTH_LDAP_START_TLS', 'False').lower() == 'true'
|
2020-05-14 16:41:42 +02:00
|
|
|
|
|
2018-02-22 14:49:38 +01:00
|
|
|
|
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
|
|
|
|
|
# Note that this is a NetBox-specific setting which sets:
|
|
|
|
|
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
|
2020-10-18 02:38:06 +02:00
|
|
|
|
LDAP_IGNORE_CERT_ERRORS = environ.get('LDAP_IGNORE_CERT_ERRORS', 'False').lower() == 'true'
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
2022-12-01 08:17:25 +01:00
|
|
|
|
# Include this setting if you want to validate the LDAP server certificates against a CA certificate directory on your server
|
|
|
|
|
# Note that this is a NetBox-specific setting which sets:
|
|
|
|
|
# ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, LDAP_CA_CERT_DIR)
|
|
|
|
|
LDAP_CA_CERT_DIR = environ.get('LDAP_CA_CERT_DIR', None)
|
|
|
|
|
|
|
|
|
|
# Include this setting if you want to validate the LDAP server certificates against your own CA.
|
|
|
|
|
# Note that this is a NetBox-specific setting which sets:
|
|
|
|
|
# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT_FILE)
|
|
|
|
|
LDAP_CA_CERT_FILE = environ.get('LDAP_CA_CERT_FILE', None)
|
|
|
|
|
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_USER_SEARCH_BASEDN = environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', '')
|
|
|
|
|
AUTH_LDAP_USER_SEARCH_ATTR = environ.get('AUTH_LDAP_USER_SEARCH_ATTR', 'sAMAccountName')
|
2023-01-27 23:57:56 +01:00
|
|
|
|
AUTH_LDAP_USER_SEARCH_FILTER: str = environ.get(
|
|
|
|
|
'AUTH_LDAP_USER_SEARCH_FILTER', f'({AUTH_LDAP_USER_SEARCH_ATTR}=%(user)s)'
|
2021-02-08 11:59:33 +01:00
|
|
|
|
)
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
2023-01-28 00:58:47 +01:00
|
|
|
|
AUTH_LDAP_USER_SEARCH = LDAPSearch(
|
|
|
|
|
AUTH_LDAP_USER_SEARCH_BASEDN, ldap.SCOPE_SUBTREE, AUTH_LDAP_USER_SEARCH_FILTER
|
|
|
|
|
)
|
|
|
|
|
|
2018-02-22 14:49:38 +01:00
|
|
|
|
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
|
|
|
|
|
# heirarchy.
|
2023-01-27 23:57:56 +01:00
|
|
|
|
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_GROUP_SEARCH_BASEDN = environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', '')
|
|
|
|
|
AUTH_LDAP_GROUP_SEARCH_CLASS = environ.get('AUTH_LDAP_GROUP_SEARCH_CLASS', 'group')
|
2023-01-27 23:57:56 +01:00
|
|
|
|
|
|
|
|
|
AUTH_LDAP_GROUP_SEARCH_FILTER: str = environ.get(
|
|
|
|
|
'AUTH_LDAP_GROUP_SEARCH_FILTER', f'(objectclass={AUTH_LDAP_GROUP_SEARCH_CLASS})'
|
|
|
|
|
)
|
|
|
|
|
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
|
|
|
|
|
AUTH_LDAP_GROUP_SEARCH_BASEDN, ldap.SCOPE_SUBTREE, AUTH_LDAP_GROUP_SEARCH_FILTER
|
|
|
|
|
)
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_GROUP_TYPE = _import_group_type(environ.get('AUTH_LDAP_GROUP_TYPE', 'GroupOfNamesType'))
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
|
|
|
|
# Define a group required to login.
|
2020-10-29 14:57:34 +01:00
|
|
|
|
AUTH_LDAP_REQUIRE_GROUP = environ.get('AUTH_LDAP_REQUIRE_GROUP_DN')
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
|
|
|
|
# Define special user types using groups. Exercise great caution when assigning superuser status.
|
2020-08-25 22:47:38 +02:00
|
|
|
|
AUTH_LDAP_USER_FLAGS_BY_GROUP = {}
|
|
|
|
|
|
|
|
|
|
if AUTH_LDAP_REQUIRE_GROUP is not None:
|
|
|
|
|
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
|
2020-10-29 14:57:34 +01:00
|
|
|
|
"is_active": environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''),
|
|
|
|
|
"is_staff": environ.get('AUTH_LDAP_IS_ADMIN_DN', ''),
|
|
|
|
|
"is_superuser": environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '')
|
2020-08-25 22:47:38 +02:00
|
|
|
|
}
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
|
|
|
|
# For more granular permissions, we can map LDAP groups to Django groups.
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_FIND_GROUP_PERMS = environ.get('AUTH_LDAP_FIND_GROUP_PERMS', 'True').lower() == 'true'
|
2020-10-27 08:51:12 +01:00
|
|
|
|
AUTH_LDAP_MIRROR_GROUPS = environ.get('AUTH_LDAP_MIRROR_GROUPS', '').lower() == 'true'
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
|
|
|
|
# Cache groups for one hour to reduce LDAP traffic
|
2020-10-18 02:38:06 +02:00
|
|
|
|
AUTH_LDAP_CACHE_TIMEOUT = int(environ.get('AUTH_LDAP_CACHE_TIMEOUT', 3600))
|
2018-02-22 14:49:38 +01:00
|
|
|
|
|
|
|
|
|
# Populate the Django user from the LDAP directory.
|
|
|
|
|
AUTH_LDAP_USER_ATTR_MAP = {
|
2020-10-18 02:38:06 +02:00
|
|
|
|
"first_name": environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
|
|
|
|
|
"last_name": environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
|
|
|
|
|
"email": environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
|
2018-02-22 14:49:38 +01:00
|
|
|
|
}
|