LDAP Server Configuration (#14)

Merge branch 'feature/ldap' into master

Author: lae

.travis.yml

@@ -23,7 +23,7 @@ install:
 script:
 - ansible-playbook tests/deploy.yml -i tests/inventory --syntax-check
 - ansible-playbook tests/deploy.yml -i tests/inventory
-- unbuffer ansible-playbook -vv tests/deploy.yml -i tests/inventory >/tmp/idempotency.log 2>&1
+- ANSIBLE_STDOUT_CALLBACK=debug unbuffer ansible-playbook -vv tests/deploy.yml -i tests/inventory >/tmp/idempotency.log 2>&1
 - 'grep -A1 "PLAY RECAP" /tmp/idempotency.log | grep -qP "changed=0.*failed=0" &&
   (echo "Idempotence: PASS"; exit 0) || (echo "Idempotence: FAIL"; cat /tmp/idempotency.log;
   exit 1)'

README.md

@@ -57,6 +57,11 @@ By default, NetBox will be configured to output to `/srv/netbox/shared/applicati
 and `/srv/netbox/shared/requests.log`. You can override these with a valid
 uWSGI logger by setting `netbox_uwsgi_logger` and `netbox_uwsgi_req_logger`.
 
+Toggle `netbox_ldap_enabled` to `true` to configure LDAP authentication for
+NetBox. By default, Ansible will look for `netbox_ldap_config.py.j2` in your
+playbook's `templates/` directory - which you can find an example of in this
+role's `templates/` directory. You can set `netbox_ldap_config_template` to a
+different location if you have your template located somewhere else.
 
 Example Playbook
 ----------------

defaults/main.yml

@@ -44,3 +44,6 @@ netbox_uwsgi_logger: "file:{{ netbox_shared_path }}/application.log"
 netbox_uwsgi_req_logger: "file:{{ netbox_shared_path }}/requests.log"
 
 netbox_load_initial_data: false
+
+netbox_ldap_enabled: false
+netbox_ldap_config_template: netbox_ldap_config.py.j2

tasks/deploy_netbox.yml

@@ -27,12 +27,35 @@
   notify:
     - reload netbox
 
+- block:
+  - name: Install django-auth-ldap if LDAP is enabled
+    pip:
+      name: django-auth-ldap
+      virtualenv: "{{ netbox_virtualenv_path }}"
+
+  - name: Generate LDAP configuration for NetBox if enabled
+    template:
+      src: "{{ netbox_ldap_config_template }}"
+      dest: "{{ netbox_shared_path }}/ldap_config.py"
+      mode: 0600
+    notify:
+      - reload netbox
+  when:
+    - netbox_ldap_enabled
+
 - name: Symlink NetBox configuration file into the active NetBox release
   file:
     src: "{{ netbox_shared_path }}/configuration.py"
     dest: "{{ netbox_config_path }}/configuration.py"
     state: link
 
+- name: Symlink/Remove NetBox LDAP configuration file into/from the active NetBox release
+  file:
+    src: "{{ netbox_shared_path }}/ldap_config.py"
+    dest: "{{ netbox_config_path }}/ldap_config.py"
+    force: yes
+    state: "{{ 'absent' if netbox_ldap_enabled else 'link' }}"
+
 - name: Run database migrations for NetBox
   django_manage:
     command: migrate

tasks/install_packages_apt.yml

@@ -1,5 +1,5 @@
 ---
-- name: Install NetBox dependencies and selected Python version
+- name: Install required packages for selected NetBox configuration
   apt:
     name: "{{ item }}"
     state: latest
@@ -8,10 +8,5 @@
   with_items:
     - "{{ netbox_python3_packages if (netbox_python == 3) else netbox_python2_packages }}"
     - "{{ netbox_packages }}"
-
-- name: Ensure git is installed
-  apt:
-    name: git
-    state: installed
-  when:
-    - netbox_git
+    - "{{ netbox_ldap_packages if netbox_ldap_enabled else [] }}"
+    - "{{ 'git' if netbox_git else [] }}"

tasks/install_packages_yum.yml

@@ -6,18 +6,13 @@
   when:
     - netbox_python == 3
 
-- name: Install NetBox dependencies and selected Python version
+- name: Install required packages for selected NetBox configuration
   yum:
     name: "{{ item }}"
     state: latest
     update_cache: yes
   with_items:
     - "{{ netbox_python3_packages if (netbox_python == 3) else netbox_python2_packages }}"
     - "{{ netbox_packages }}"
-
-- name: Ensure git is installed
-  yum:
-    name: git
-    state: installed
-  when:
-    - netbox_git
+    - "{{ netbox_ldap_packages if netbox_ldap_enabled else [] }}"
+    - "{{ 'git' if netbox_git else [] }}"

templates/configuration.py.j2

@@ -17,3 +17,5 @@ BASE_PATH = '{{ netbox_base_path }}'
 PAGINATE_COUNT = '{{ netbox_paginate_count }}'
 TIME_ZONE = '{{ netbox_timezone }}'
 PREFER_IPV4 = '{{ "True" if netbox_prefer_ipv4 else "False" }}'
+
+# vim: ft=python

templates/netbox_ldap_config.py.j2.example

@@ -0,0 +1,51 @@
+# {{ ansible_managed }}
+import ldap
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+
+"""
+Read the NetBox LDAP configuration documentation if you need assistance:
+http://netbox.readthedocs.io/en/latest/installation/ldap/
+
+This is just an example. Modify it to your liking and place it in your
+playbook's templates/ directory (or anywhere, but make sure
+"netbox_ldap_config_template" is configured to whatever location you place the
+template in should it not be in templates/.
+"""
+
+# Use variables like the below if you prefer:
+AUTH_LDAP_SERVER_URI = "{{ ldap_server_uri }}"
+
+# Or just store all your values in this file:
+AUTH_LDAP_BIND_DN = "CN=NETBOXSA, OU=Service Accounts,DC=example,DC=com"
+# I would however recommend putting passwords in vaulted variables.
+AUTH_LDAP_BIND_PASSWORD = "demo"
+
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0
+}
+
+LDAP_IGNORE_CERT_ERRORS = False
+
+AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=example,dc=com",
+                                    ldap.SCOPE_SUBTREE,
+                                    "(sAMAccountName=%(user)s)")
+AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=users,dc=example,dc=com"
+AUTH_LDAP_USER_ATTR_MAP = {
+    "first_name": "givenName",
+    "last_name": "sn"
+}
+
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch("dc=example,dc=com", ldap.SCOPE_SUBTREE,
+                                    "(objectClass=group)")
+AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
+AUTH_LDAP_REQUIRE_GROUP = "CN=NETBOX_USERS,DC=example,DC=com"
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    "is_active": "cn=active,ou=groups,dc=example,dc=com",
+    "is_staff": "cn=staff,ou=groups,dc=example,dc=com",
+    "is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"
+}
+AUTH_LDAP_FIND_GROUP_PERMS = True
+AUTH_LDAP_CACHE_GROUPS = True
+AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
+
+# vim: ft=python

vars/centos-7.yml

@@ -20,3 +20,5 @@ netbox_python3_packages:
   - python34-pip
 netbox_python3_binary: /usr/bin/python3.4
 netbox_pip3_binary: /usr/bin/pip3
+netbox_ldap_packages:
+  - openldap-devel

vars/debian-8.yml

@@ -18,3 +18,6 @@ netbox_python3_packages:
   - python3-pip
 netbox_python3_binary: /usr/bin/python3.4
 netbox_pip3_binary: /usr/bin/pip3
+netbox_ldap_packages:
+  - libldap2-dev
+  - libssl-dev