External Authentication (LDAP) - jvoss/ansible-role-nautobot GitHub Wiki
This guide explains how to use this role to deploy LDAP authentication for Nautobot.
Requirements
All system and Python dependencies are installed automatically when enabling LDAP by defining the nautobot_auth_ldap variable.
Configuration
Configuration is applied to nautobot_config.py by specifying raw configuration options to the config sub key in the nautobot_auth_ldap variable. Nautobot specific detailed information can be found in the official documentation. Additional LDAP configuration options can be found in the django-auth-ldap documentation
Below is a simple example to demonstrate how to apply such options.
Example
nautobot_auth_ldap:
config: |
# Server URI
AUTH_LDAP_SERVER_URI = "ldap://ad.example.com"
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the Nautobot service account.
AUTH_LDAP_BIND_DN = "CN=NAUTOBOTSA, OU=Service Accounts,DC=example,DC=com"
AUTH_LDAP_BIND_PASSWORD = "demo"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=example,dc=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": "cn=active,ou=groups,dc=example,dc=com",
"is_staff": "cn=staff,ou=groups,dc=example,dc=com",
"is_superuser": "cn=superuser,ou=groups,dc=example,dc=com"
}
# When using Windows Server 2012, AUTH_LDAP_USER_DN_TEMPLATE should be set to None.
AUTH_LDAP_USER_DN_TEMPLATE = None
# You can map user attributes to Django attributes as so.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
# This search matches users with the sAMAccountName equal to the provided username. This is required if the user's
# username is not in their DN (Active Directory).
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=Users,dc=example,dc=com",
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
Additional related variables
nautobot_external_auth_default_groups: []
# Example
nautobot_external_auth_default_groups:
- external_group_1
- external_group_2
EXTERNAL_AUTH_DEFAULT_PERMISSIONS
nautobot_external_auth_default_permissions: {}
# Example
nautobot_external_auth_default_permissions:
dcim.add_device:
site__name__in:
- HQ
dcim.view_device:
site__name__in:
- HQ
dcim.view_devicerole: null
dcim.view_devicetype: null
extras.view_status: null
dcim.view_site:
name__in:
- HQ
dcim.view_manufacturer: null
dcim.view_region: null
dcim.view_rack: null
dcim.view_rackgroup: null
dcim.view_platform: null
virtualization.view_cluster: null
virtualization.view_clustergroup: null
tenancy.view_tenant: null
tenancy.view_tenantgroup: null
Suggestions
The example provided in this guide is meant to quickly demonstrate how to inject your own LDAP configuration into this role. One way to avoid this raw configuration directly within a playbook is to define your own template or file and loading it using a lookup plugin:
# Load from static configuration file
nautobot_auth_ldap:
config: "{{ lookup('file', 'path/to/ldap_config.py') }}"
# Load from custom template
nautobot_auth_ldap:
config: "{{ lookup('template', './ldap_config.template.py.j2') }}"