简介
本文介绍了NetBox接入微软的AD LDAP认证的教程。
NetBox 系列文章:https://songxwn.com/categories/NetBox/
LADP 系列文章:https://songxwn.com/tags/ldap/
已在NetBox 3.5-4.0版本验证过.
安装
安装系统基础软件包
text
sudo yum install -y openldap-devel python3-devel
# RHEL 系列
sudo apt install -y libldap2-dev libsasl2-dev libssl-dev
# Debian 系列
安装Python 软件包
text
source /opt/netbox/venv/bin/activate
pip3 install django-auth-ldap
将ldap包加入本地包列表,用于之后升级安装
text
sudo sh -c "echo 'django-auth-ldap' >> /opt/netbox/local_requirements.txt"
配置
python
vim configuration.py
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
# 打开配置文件,增加开启LDAP认证后端的配置。
LDAP配置文件
text
vim /opt/netbox-4.0-beta2/netbox/netbox/ldap_config.py
# 创建并打开LDAP配置文件。下面是示例
# 配置完成后,执行systemctl restart netbox 生效。
配置实例
python
import ldap
# Server URI
AUTH_LDAP_SERVER_URI = "ldap://songxwn.com"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = "CN=admin,CN=Users,DC=songxwn,DC=com"
AUTH_LDAP_BIND_PASSWORD = "admin@passowrd"
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
from django_auth_ldap.config import LDAPSearch
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("DC=songxwn,DC=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# If a user's DN is producible from their username, we don't need to search.
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("DC=songxwn,DC=com", ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
from django_auth_ldap.config import LDAPGroupQuery
AUTH_LDAP_REQUIRE_GROUP = (
LDAPGroupQuery("CN=IT1,CN=Users,DC=songxwn,DC=com")
| LDAPGroupQuery("CN=IT2,CN=Users,DC=songxwn,DC=com")
)
AUTH_LDAP_MIRROR_GROUPS = True
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": ["CN=IT1,CN=Users,DC=songxwn,DC=com", "CN=IT2,CN=Users,DC=songxwn,DC=com"]
}
配置实例说明
-
域控服务器的域名为 songxwn.com
-
增加了两个组可以登录netbox,为 IT1 和 IT2
-
使用了admin作为netbox对接域控的接入账号
使用
域控账号不加域控,直接用用户名登录。 账号权限和组权限由NetBox管理。
LDAP接入排错
configuration.py 增加以下配置让ldap输出日志到/opt/netbox/local/logs/django-ldap-debug.log。
PS:注意log文件权限需netbox用户可读写。
text
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'handlers': {
'netbox_auth_log': {
'level': 'DEBUG',
'class': 'logging.handlers.RotatingFileHandler',
'filename': '/opt/netbox/local/logs/django-ldap-debug.log',
'maxBytes': 1024 * 500,
'backupCount': 5,
},
},
'loggers': {
'django_auth_ldap': {
'handlers': ['netbox_auth_log'],
'level': 'DEBUG',
},
},
}