Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

implement extra LDAP user and group filters as requested in #471 #931

Merged
merged 1 commit into from
Jan 30, 2023

Conversation

timrabl
Copy link
Contributor

@timrabl timrabl commented Jan 27, 2023

Related Issue:

#471 - Add extra LDAP user and group filters

New Behavior

Implements two new environment variables without losing existing functions. Since the existing default variables are kept as fall back.

  • AUTH_LDAP_USER_SEARCH_FILTER // for overriding the LDAP user filter
  • AUTH_LDAP_GROUP_SEARCH_FILTER // to override the LDAP group filter

Contrast to Current Behavior

Allows users to completely customize the user or group variables for LDAP authentication via environment variables. If not, the default variables are used to ensure backward compatibility.

Discussion: Benefits and Drawbacks

Previously, the complete customization of the search filters were not possible, which is probably an essential feature for a small part of users. Nevertheless a feature that quite a lot of applications offer and more or less a common standard for LDAP authentication. The implementation is backward compatible, so there should be no problem for all other users.

Changes to the Wiki

version: "3.4"
services:
  netbox:
    environment:
      REMOTE_AUTH_ENABLED: "True"
      REMOTE_AUTH_BACKEND: "netbox.authentication.LDAPBackend"
      AUTH_LDAP_SERVER_URI: "ldaps://domain.com"
      AUTH_LDAP_BIND_DN: "cn=netbox,ou=services,dc=domain,dc=com"
      AUTH_LDAP_BIND_PASSWORD: "TopSecretPassword"
      AUTH_LDAP_USER_SEARCH_BASEDN: "ou=people,dc=domain,dc=com"
      AUTH_LDAP_GROUP_SEARCH_BASEDN: "ou=groups,dc=domain,dc=com"
      AUTH_LDAP_REQUIRE_GROUP_DN: "cn=netbox" # or "cn=netbox,ou=groups,dc=domain,dc=com"
      AUTH_LDAP_IS_ADMIN_DN: "cn=netbox-admins,ou=groups,dc=domain,dc=com"
      AUTH_LDAP_IS_SUPERUSER_DN: "cn=netbox-superusers,ou=groups,dc=domain,dc=com"
      
      # either user attribute only
      AUTH_LDAP_USER_SEARCH_ATTR: "uid"
      # or full user filter
      AUTH_LDAP_USER_SEARCH_FILTER: "(&(memberof:cn=netbox,ou=groups,dc=domain,dc=com)(uid=%(user)s))"
      
      # either group search class
      AUTH_LDAP_GROUP_SEARCH_CLASS: "groupOfUniqueNames"
      # or full group search filter
      AUTH_LDAP_GROUP_SEARCH_FILTER: "(|(objectclass=groupOfUniqueNames)(objectclass=group))"
      
      AUTH_LDAP_GROUP_TYPE: "GroupOfUniqueNamesType"
      AUTH_LDAP_ATTR_LASTNAME: "sn"
      AUTH_LDAP_ATTR_FIRSTNAME: "givenName"
      LDAP_IGNORE_CERT_ERRORS: "false"

Proposed Release Note Entry

LDAP filters for the groups or user search can now alternatively be completely configured via environment variables. (AUTH_LDAP_USER_SEARCH_FILTER and AUTH_LDAP_GROUP_SEARCH_FILTER).

Double Check

  • I have read the comments and followed the PR template.
  • I have explained my PR according to the information in the comments.
  • My PR targets the develop branch.

Copy link
Member

@tobiasge tobiasge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address the comments.

@tobiasge tobiasge enabled auto-merge January 30, 2023 08:07
@tobiasge tobiasge merged commit 7a9aef3 into netbox-community:develop Jan 30, 2023
@timrabl timrabl deleted the fix-471 branch January 30, 2023 09:26
@timrabl timrabl restored the fix-471 branch January 31, 2023 18:27
timrabl added a commit to timrabl/netbox-docker that referenced this pull request Jan 31, 2023
@timrabl timrabl mentioned this pull request Jan 31, 2023
3 tasks
timrabl added a commit to timrabl/netbox-docker that referenced this pull request Jan 31, 2023
timrabl added a commit to timrabl/netbox-docker that referenced this pull request Feb 1, 2023
add missing AUTH_LDAP_USER_SEARCH, removed while modifying....

revert AUTH_LDAP_USER_SEARCH variable that was accidentally removed in netbox-community#931 and change behaviour to requested features in netbox-community#471
timrabl added a commit to timrabl/netbox-docker that referenced this pull request Feb 1, 2023
add missing AUTH_LDAP_USER_SEARCH, removed while modifying....

revert AUTH_LDAP_USER_SEARCH variable that was accidentally removed in netbox-community#931 and change behaviour to requested features in netbox-community#471

remove duplicate AUTH_LDAP_USER_SEARCH variable now and fix this finally, hopefully
tobiasge added a commit that referenced this pull request Feb 1, 2023
@tobiasge tobiasge mentioned this pull request Mar 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants