netbox-docker icon indicating copy to clipboard operation
netbox-docker copied to clipboard
verified publisher icon netbox-community

Add extra LDAP user and group filters

Open kasimon opened this issue 4 years ago • 6 comments

Desired Behavior

Introduce new config variables AUTH_LDAP_USER_SEARCH_EXTRA_FILTER and AUTH_LDAP_GROUP_SEARCH_EXTRA_FILTER that are added to the LDAP queries.

This would allow to filter users/groups based on their attributes (for example to require a field like assignedRole: Netbox).

Contrast to Current Behavior

Currently there is no way to add an extra LDAP filter without changing the ldap config code.

Changes Required

Add these variables to the config. If not using the new variables nothing changes.

Discussion: Benefits and Drawbacks

This change would improve the versatility of the django ldap config.

kasimon avatar Mar 12 '21 16:03 kasimon

Currently there is no way to add an extra LDAP filter without changing the ldap config code.

You can create a new file configuration/ldap/your_configuration.py containing whatever LDAP-related configuration you want. Every piece of configuration added in such a file takes precedence over the default configuration and also extends it. See configuration/extra.py for reference; the same principle works for the ldap configuration.

cimnine avatar Mar 12 '21 17:03 cimnine

I've added a quick paragraph to our wiki that describes the custom configuration files, see https://github.com/netbox-community/netbox-docker/wiki/Configuration#custom-configuration-files. I hope this solves your need for more environment variables – you could implement them yourself. If you think that they are a relevant to other, please consider opening a PR.

cimnine avatar Mar 12 '21 17:03 cimnine

Given that these kind of filters are quite common in most LDAP setups I know, I would be for adding these to the default ldap_config.py. Adding your own config especially for LDAP requires knowledge not everybody needing such a filter might have. I could come up with a minimal PR if that would help.

kasimon avatar Mar 12 '21 23:03 kasimon

After quickly searching google, gitlab, django-auth-ldap, and github I have not seen these options mentioned much.

In all the setups I have helped with I have not once used either of these options. Just adding my two cents. I think this should just be closed out.

ryanmerolle avatar Apr 20 '21 12:04 ryanmerolle

@ryanmerolle gitlab and django-auth-ldap definitely support arbitrary user and group filter (I know because we use both).

kasimon avatar Apr 21 '21 08:04 kasimon

I was not saying they are not supported. I was just saying I did not see much mention of people using those options a lot.

ryanmerolle avatar Apr 21 '21 11:04 ryanmerolle

Fixed in #931

tobiasge avatar Jan 30 '23 09:01 tobiasge

@tobiasge Actually i made a mistake in #931. #939 should fix this finally. ^^

timrabl avatar Jan 31 '23 18:01 timrabl