Add django_ldap_auth

In the ldap.Dockerfile the django_ldap_auth module is installed to
enable authentication againt LDAP servers.
This commit is contained in:
Tobias Genannt 2018-02-22 14:49:38 +01:00
parent 3af803f481
commit 6a01a3379d
7 changed files with 108 additions and 1 deletions

7
Dockerfile.ldap Normal file
View File

@ -0,0 +1,7 @@
ARG FROM_TAG=latest
FROM ninech/netbox:$FROM_TAG
RUN pip install django_auth_ldap
COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
COPY configuration/ldap_config.py /etc/netbox/ldap_config.py

View File

@ -136,6 +136,10 @@ COPY startup_scripts/ /opt/netbox/startup_scripts/
COPY initializers/ /opt/netbox/initializers/ COPY initializers/ /opt/netbox/initializers/
``` ```
#### LDAP enabled variant
In the images tagged with "-ldap" you can authenticate netbox against an LDAP / AD server. The included ldap_config.py is configured to use an AD domain controller. The custom values can be injected with environment variables like those in the main configuration file.
### Production ### Production
The default settings are optimized for (local) development environments. The default settings are optimized for (local) development environments.

View File

@ -9,6 +9,11 @@ CURL="curl ${CURL_OPTS}"
BRANCHES=$($CURL "${URL_RELEASES}" | jq -r 'map(.name) | .[] | scan("^[^v].+")') BRANCHES=$($CURL "${URL_RELEASES}" | jq -r 'map(.name) | .[] | scan("^[^v].+")')
VARIANTS=( "ldap" )
for BRANCH in $BRANCHES; do for BRANCH in $BRANCHES; do
./build.sh "${BRANCH}" $@ ./build.sh "${BRANCH}" $@
for var in "${VARIANTS[@]}" ; do
VARIANT=$var ./build.sh "${BRANCH}" $@
done
done done

View File

@ -38,8 +38,13 @@ URL_DOCKERHUB_TAG="https://registry.hub.docker.com/v2/${DOCKERHUB_REPO}/tags/lis
AUTHORIZATION_HEADER="Authorization: Bearer ${BEARER_TOKEN}" AUTHORIZATION_HEADER="Authorization: Bearer ${BEARER_TOKEN}"
ALREADY_BUILT="$($CURL -H "${AUTHORIZATION_HEADER}" "${URL_DOCKERHUB_TAG}" | jq -e ".tags | any(.==\"${VERSION}\")")" ALREADY_BUILT="$($CURL -H "${AUTHORIZATION_HEADER}" "${URL_DOCKERHUB_TAG}" | jq -e ".tags | any(.==\"${VERSION}\")")"
VARIANTS=( "ldap" )
if [ "$ALREADY_BUILT" == "false" ]; then if [ "$ALREADY_BUILT" == "false" ]; then
./build.sh "${VERSION}" $@ ./build.sh "${VERSION}" $@
for var in "${VARIANTS[@]}" ; do
VARIANT=$var ./build.sh "${VERSION}" $@
done
else else
echo "${VERSION} already exists on https://hub.docker.com/r/${DOCKERHUB_REPO}" echo "${VERSION} already exists on https://hub.docker.com/r/${DOCKERHUB_REPO}"
fi fi

View File

@ -35,6 +35,15 @@ if [ "${1}x" == "x" ] || [ "${1}" == "--help" ] || [ "${1}" == "-h" ]; then
echo " URL Where to fetch the package from." echo " URL Where to fetch the package from."
echo " Must be a tar.gz file of the source code." echo " Must be a tar.gz file of the source code."
echo " Default: https://github.com/<SRC_ORG>/<SRC_REPO>/archive/\$BRANCH.tar.gz" echo " Default: https://github.com/<SRC_ORG>/<SRC_REPO>/archive/\$BRANCH.tar.gz"
echo " VARIANT The variant to build."
echo " When set the value will be used as a TAG suffix and for Dockerfile selection."
echo " The TAG being build must exist for the base variant and the variant Dockerfile"
echo " must start with the following two lines:"
echo " ARG FROM_TAG=latest"
echo " FROM ninech/netbox:$FROM_TAG"
echo " Example: VARIANT=ldap will result in the tag 'latest-ldap' and the Dockerfile"
echo " 'Dockerfile.ldap' being used."
echo " Default: empty"
if [ "${1}x" == "x" ]; then if [ "${1}x" == "x" ]; then
exit 1 exit 1
@ -62,6 +71,18 @@ case "${BRANCH}" in
esac esac
DOCKER_TAG="${DOCKER_TAG-${DOCKER_ORG}/${DOCKER_REPO}:${TAG}}" DOCKER_TAG="${DOCKER_TAG-${DOCKER_ORG}/${DOCKER_REPO}:${TAG}}"
# Checking which VARIANT to build
if [ -z "$VARIANT" ]; then
DOCKERFILE="Dockerfile"
else
DOCKERFILE="Dockerfile.${VARIANT}"
DOCKER_TAG="${DOCKER_TAG}-${VARIANT}"
if [ ! -f ${DOCKERFILE} ]; then
echo "The Dockerfile ${DOCKERFILE} for variant '${VARIANT}' doesn't exist. Exiting"
exit 1
fi
fi
# caching is only ok for version tags # caching is only ok for version tags
case "${TAG}" in case "${TAG}" in
v*) v*)
@ -74,7 +95,7 @@ esac
DOCKER_OPTS="${DOCKER_OPTS-$CACHE}" DOCKER_OPTS="${DOCKER_OPTS-$CACHE}"
echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'." echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'."
docker build -t "${DOCKER_TAG}" --build-arg "BRANCH=${BRANCH}" --build-arg "URL=${URL}" --pull ${DOCKER_OPTS} . docker build -t "${DOCKER_TAG}" --build-arg "FROM_TAG=${TAG}" --build-arg "BRANCH=${BRANCH}" --build-arg "URL=${URL}" --pull ${DOCKER_OPTS} -f ${DOCKERFILE} .
echo "✅ Finished building the Docker images '${DOCKER_TAG}'" echo "✅ Finished building the Docker images '${DOCKER_TAG}'"
if [ "${2}" == "--push" ] ; then if [ "${2}" == "--push" ] ; then

View File

@ -0,0 +1,55 @@
import ldap
import os
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
# Server URI
AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '')
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '')
AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
AUTH_LDAP_USER_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''),
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '')
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''),
"is_staff": os.environ.get('AUTH_LDAP_IS_ADMIN_DN', ''),
"is_superuser": os.environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '')
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
"last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
"email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
}

View File

@ -0,0 +1,10 @@
import importlib.util
import sys
try:
spec = importlib.util.spec_from_file_location('ldap_config', '/etc/netbox/ldap_config.py')
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
sys.modules['netbox.ldap_config'] = module
except:
raise ImportError('')