Add django_ldap_auth

In the ldap.Dockerfile the django_ldap_auth module is installed to enable authentication againt LDAP servers.
2018-02-22 14:49:38 +01:00 · 2018-02-22 14:49:38 +01:00 · 6a01a3379d
commit 6a01a3379d
parent 3af803f481
7 changed files with 108 additions and 1 deletions
--- a/Dockerfile.ldap
+++ b/Dockerfile.ldap
@ -0,0 +1,7 @@
+ARG FROM_TAG=latest
+FROM ninech/netbox:$FROM_TAG
+
+RUN pip install django_auth_ldap
+
+COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
+COPY configuration/ldap_config.py /etc/netbox/ldap_config.py
--- a/README.md
+++ b/README.md
@ -136,6 +136,10 @@ COPY startup_scripts/ /opt/netbox/startup_scripts/
 COPY initializers/ /opt/netbox/initializers/
 ```

+#### LDAP enabled variant
+
+In the images tagged with "-ldap" you can authenticate netbox against an LDAP / AD server. The included ldap_config.py is configured to use an AD domain controller. The custom values can be injected with environment variables like those in the main configuration file.
+
 ### Production

 The default settings are optimized for (local) development environments.
--- a/build-branches.sh
+++ b/build-branches.sh
@ -9,6 +9,11 @@ CURL="curl ${CURL_OPTS}"

 BRANCHES=$($CURL "${URL_RELEASES}" | jq -r 'map(.name) | .[] | scan("^[^v].+")')

+VARIANTS=( "ldap" )
+
 for BRANCH in $BRANCHES; do
  ./build.sh "${BRANCH}" $@
+  for var in "${VARIANTS[@]}" ; do
+    VARIANT=$var ./build.sh "${BRANCH}" $@
+  done
 done
--- a/build-latest.sh
+++ b/build-latest.sh
@ -38,8 +38,13 @@ URL_DOCKERHUB_TAG="https://registry.hub.docker.com/v2/${DOCKERHUB_REPO}/tags/lis
 AUTHORIZATION_HEADER="Authorization: Bearer ${BEARER_TOKEN}"
 ALREADY_BUILT="$($CURL -H "${AUTHORIZATION_HEADER}" "${URL_DOCKERHUB_TAG}" | jq -e ".tags | any(.==\"${VERSION}\")")"

+VARIANTS=( "ldap" )
+
 if [ "$ALREADY_BUILT" == "false" ]; then
  ./build.sh "${VERSION}" $@
+  for var in "${VARIANTS[@]}" ; do
+    VARIANT=$var ./build.sh "${VERSION}" $@
+  done
 else
  echo "✅ ${VERSION} already exists on https://hub.docker.com/r/${DOCKERHUB_REPO}"
 fi
--- a/build.sh
+++ b/build.sh
@ -35,6 +35,15 @@ if [ "${1}x" == "x" ] || [ "${1}" == "--help" ] || [ "${1}" == "-h" ]; then
  echo "  URL      Where to fetch the package from."
  echo "           Must be a tar.gz file of the source code."
  echo "           Default: https://github.com/<SRC_ORG>/<SRC_REPO>/archive/\$BRANCH.tar.gz"
+  echo "  VARIANT  The variant to build."
+  echo "           When set the value will be used as a TAG suffix and for Dockerfile selection."
+  echo "           The TAG being build must exist for the base variant and the variant Dockerfile"
+  echo "           must start with the following two lines:"
+  echo "             ARG FROM_TAG=latest"
+  echo "             FROM ninech/netbox:$FROM_TAG"
+  echo "           Example: VARIANT=ldap will result in the tag 'latest-ldap' and the Dockerfile"
+  echo "           'Dockerfile.ldap' being used."
+  echo "           Default: empty"

  if [ "${1}x" == "x" ]; then
    exit 1
@ -62,6 +71,18 @@ case "${BRANCH}" in
 esac
 DOCKER_TAG="${DOCKER_TAG-${DOCKER_ORG}/${DOCKER_REPO}:${TAG}}"

+# Checking which VARIANT to build
+if [ -z "$VARIANT" ]; then
+  DOCKERFILE="Dockerfile"
+else
+  DOCKERFILE="Dockerfile.${VARIANT}"
+  DOCKER_TAG="${DOCKER_TAG}-${VARIANT}"
+  if [ ! -f ${DOCKERFILE} ]; then
+    echo "The Dockerfile ${DOCKERFILE} for variant '${VARIANT}' doesn't exist. Exiting"
+    exit 1
+  fi
+fi
+
 # caching is only ok for version tags
 case "${TAG}" in
  v*)
@ -74,7 +95,7 @@ esac
 DOCKER_OPTS="${DOCKER_OPTS-$CACHE}"

 echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'."
-docker build -t "${DOCKER_TAG}" --build-arg "BRANCH=${BRANCH}" --build-arg "URL=${URL}" --pull ${DOCKER_OPTS} .
+docker build -t "${DOCKER_TAG}" --build-arg "FROM_TAG=${TAG}" --build-arg "BRANCH=${BRANCH}" --build-arg "URL=${URL}" --pull ${DOCKER_OPTS} -f ${DOCKERFILE} .
 echo "✅ Finished building the Docker images '${DOCKER_TAG}'"

 if [ "${2}" == "--push" ] ; then
--- a/configuration/ldap_config.py
+++ b/configuration/ldap_config.py
@ -0,0 +1,55 @@
+import ldap
+import os
+
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+
+# Server URI
+AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '')
+
+# The following may be needed if you are binding to Active Directory.
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0
+}
+
+# Set the DN and password for the NetBox service account.
+AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '')
+AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')
+
+# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
+# Note that this is a NetBox-specific setting which sets:
+#     ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+LDAP_IGNORE_CERT_ERRORS = True
+
+AUTH_LDAP_USER_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''),
+                                    ldap.SCOPE_SUBTREE,
+                                    "(sAMAccountName=%(user)s)")
+
+# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
+# heirarchy.
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE,
+                                    "(objectClass=group)")
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+
+# Define a group required to login.
+AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '')
+
+# Define special user types using groups. Exercise great caution when assigning superuser status.
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''),
+    "is_staff": os.environ.get('AUTH_LDAP_IS_ADMIN_DN', ''),
+    "is_superuser": os.environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '')
+}
+
+# For more granular permissions, we can map LDAP groups to Django groups.
+AUTH_LDAP_FIND_GROUP_PERMS = True
+
+# Cache groups for one hour to reduce LDAP traffic
+AUTH_LDAP_CACHE_GROUPS = True
+AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
+
+# Populate the Django user from the LDAP directory.
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
+    "last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
+    "email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
+}
--- a/docker/ldap_config.docker.py
+++ b/docker/ldap_config.docker.py
@ -0,0 +1,10 @@
+import importlib.util
+import sys
+
+try:
+  spec = importlib.util.spec_from_file_location('ldap_config', '/etc/netbox/ldap_config.py')
+  module = importlib.util.module_from_spec(spec)
+  spec.loader.exec_module(module)
+  sys.modules['netbox.ldap_config'] = module
+except:
+  raise ImportError('')