From 55643a25e7698bd66fa5ce2d0d0bea7268433f4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Oblak?= Date: Wed, 28 Aug 2024 16:25:54 +0200 Subject: [PATCH 1/4] fix(ldap): fixes #210 --- charts/netbox/Chart.lock | 6 ++--- charts/netbox/templates/configmap.yaml | 31 +++++++++++++++++++++----- charts/netbox/values.yaml | 10 ++++++--- 3 files changed, 36 insertions(+), 11 deletions(-) diff --git a/charts/netbox/Chart.lock b/charts/netbox/Chart.lock index a96557c6..c10d9134 100644 --- a/charts/netbox/Chart.lock +++ b/charts/netbox/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 2.22.0 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.23 + version: 15.5.26 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 20.0.3 -digest: sha256:c7cee1762f6496bb07f9e32520987956946d27c90f555c31e6e4508acc6e2877 -generated: "2024-08-21T15:03:50.816634-04:00" +digest: sha256:f62a14fe30e5180b6fa9bdfa927c63be84926a1bfe809d774f6c723b32f4e6de +generated: "2024-08-28T11:14:46.574269619+02:00" diff --git a/charts/netbox/templates/configmap.yaml b/charts/netbox/templates/configmap.yaml index 5171d75d..7d494777 100644 --- a/charts/netbox/templates/configmap.yaml +++ b/charts/netbox/templates/configmap.yaml @@ -231,7 +231,7 @@ data: ldap_config.py: |- from importlib import import_module - from django_auth_ldap.config import LDAPSearch + from django_auth_ldap.config import LDAPSearch, LDAPGroupQuery import ldap @@ -275,12 +275,33 @@ data: "(objectClass=" + AUTH_LDAP_GROUP_SEARCH_CLASS + ")", ) AUTH_LDAP_GROUP_TYPE = _import_group_type(AUTH_LDAP_GROUP_TYPE) + + # Required groups to be able to login to Netbox + AUTH_LDAP_REQUIRE_GROUP = ( + {{- range $index, $group := $.Values.remoteAuth.ldap.requireGroupDn }} + LDAPGroupQuery({{ $group | quote }}){{ if ne (add $index 1) (len $.Values.remoteAuth.ldap.requireGroupDn) }} | {{ end }} + {{- end }} + ) + # Define special user types using groups. Exercise great caution when assigning superuser status. AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_active": AUTH_LDAP_REQUIRE_GROUP, - "is_staff": {{ $.Values.remoteAuth.ldap.isAdminDn | quote }}, - "is_superuser": {{ $.Values.remoteAuth.ldap.isSuperUserDn | quote }}, + "is_active": ( + {{- range $index, $group := $.Values.remoteAuth.ldap.requireGroupDn }} + LDAPGroupQuery({{ $group | quote }}){{ if ne (add $index 1) (len $.Values.remoteAuth.ldap.requireGroupDn) }} | {{ end }} + {{- end }} + ), + "is_staff": ( + {{- range $index, $group := $.Values.remoteAuth.ldap.isAdminDn }} + LDAPGroupQuery({{ $group | quote }}){{ if ne (add $index 1) (len $.Values.remoteAuth.ldap.isAdminDn) }} | {{ end }} + {{- end }} + ), + "is_superuser": ( + {{- range $index, $group := $.Values.remoteAuth.ldap.isSuperUserDn }} + LDAPGroupQuery({{ $group | quote }}){{ if ne (add $index 1) (len $.Values.remoteAuth.ldap.isSuperUserDn) }} | {{ end }} + {{- end }} + ), } + # Populate the Django user from the LDAP directory. AUTH_LDAP_USER_ATTR_MAP = { "first_name": {{ $.Values.remoteAuth.ldap.attrFirstName | quote }}, @@ -302,11 +323,11 @@ data: AUTH_LDAP_GROUP_SEARCH_BASEDN: {{ $.Values.remoteAuth.ldap.groupSearchBaseDn | quote }} AUTH_LDAP_GROUP_SEARCH_CLASS: {{ $.Values.remoteAuth.ldap.groupSearchClass | quote }} AUTH_LDAP_GROUP_TYPE: {{ $.Values.remoteAuth.ldap.groupType | quote }} - AUTH_LDAP_REQUIRE_GROUP: {{ $.Values.remoteAuth.ldap.requireGroupDn | quote }} AUTH_LDAP_FIND_GROUP_PERMS: {{ toJson $.Values.remoteAuth.ldap.findGroupPerms }} AUTH_LDAP_MIRROR_GROUPS: {{ toJson $.Values.remoteAuth.ldap.mirrorGroups }} AUTH_LDAP_MIRROR_GROUPS_EXCEPT: {{ toJson $.Values.remoteAuth.ldap.mirrorGroupsExcept }} AUTH_LDAP_CACHE_TIMEOUT: {{ int $.Values.remoteAuth.ldap.cacheTimeout }} + {{- if $.Values.remoteAuth.ldap.caCertData }} ldap_ca.crt: {{- toYaml $.Values.remoteAuth.ldap.caCertData | indent 4 }} {{- end }} diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index d5977fed..41f9b7fb 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -377,13 +377,17 @@ remoteAuth: # groupSearchBaseDn: 'OU=Groups,OU=MyCompany,DC=domain,dc=com' # groupSearchClass: 'group' # groupType: 'GroupOfNamesType' - # requireGroupDn: '' + # requireGroupDn: + # - 'CN=Network Configuration Operators,CN=Builtin,DC=domain,dc=com' + # - 'CN=Domain Admins,CN=Users,DC=domain,dc=com' + # isAdminDn: + # - 'CN=Domain Admins,CN=Users,DC=domain,dc=com' + # isSuperUserDn: + # - 'CN=Domain Admins,CN=Users,DC=domain,dc=com' # findGroupPerms: true # mirrorGroups: true # mirrorGroupsExcept: null # cacheTimeout: 3600 - # isAdminDn: 'CN=Network Configuration Operators,CN=Builtin,DC=domain,dc=com' - # isSuperUserDn: 'CN=Domain Admins,CN=Users,DC=domain,dc=com' # attrFirstName: 'givenName' # attrLastName: 'sn' # attrMail: 'mail' From a6a0c2bd99fcbefb54785b9643f3e01e3fabafb0 Mon Sep 17 00:00:00 2001 From: bl4ko Date: Wed, 28 Aug 2024 21:06:20 +0200 Subject: [PATCH 2/4] fix comment indent and reset chart.lock --- charts/netbox/Chart.lock | 6 +++--- charts/netbox/templates/configmap.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/netbox/Chart.lock b/charts/netbox/Chart.lock index c10d9134..a96557c6 100644 --- a/charts/netbox/Chart.lock +++ b/charts/netbox/Chart.lock @@ -4,9 +4,9 @@ dependencies: version: 2.22.0 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.26 + version: 15.5.23 - name: redis repository: oci://registry-1.docker.io/bitnamicharts version: 20.0.3 -digest: sha256:f62a14fe30e5180b6fa9bdfa927c63be84926a1bfe809d774f6c723b32f4e6de -generated: "2024-08-28T11:14:46.574269619+02:00" +digest: sha256:c7cee1762f6496bb07f9e32520987956946d27c90f555c31e6e4508acc6e2877 +generated: "2024-08-21T15:03:50.816634-04:00" diff --git a/charts/netbox/templates/configmap.yaml b/charts/netbox/templates/configmap.yaml index 7d494777..403f644c 100644 --- a/charts/netbox/templates/configmap.yaml +++ b/charts/netbox/templates/configmap.yaml @@ -276,7 +276,7 @@ data: ) AUTH_LDAP_GROUP_TYPE = _import_group_type(AUTH_LDAP_GROUP_TYPE) - # Required groups to be able to login to Netbox + # Required groups to be able to login to Netbox AUTH_LDAP_REQUIRE_GROUP = ( {{- range $index, $group := $.Values.remoteAuth.ldap.requireGroupDn }} LDAPGroupQuery({{ $group | quote }}){{ if ne (add $index 1) (len $.Values.remoteAuth.ldap.requireGroupDn) }} | {{ end }} From 45123cd9e014b36e6c343116bd6af9ba9bf72027 Mon Sep 17 00:00:00 2001 From: bl4ko Date: Wed, 28 Aug 2024 22:04:32 +0200 Subject: [PATCH 3/4] update chart version --- charts/netbox/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/netbox/Chart.yaml b/charts/netbox/Chart.yaml index c7fd9274..c35b0ad0 100644 --- a/charts/netbox/Chart.yaml +++ b/charts/netbox/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: netbox -version: 5.0.0-beta.82 +version: 5.0.0-beta.83 appVersion: "v4.0.9" type: application kubeVersion: ^1.25.0-0 From aac39d33f92658580694c27c4aec1c75f4c9f360 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Oblak?= Date: Thu, 29 Aug 2024 09:26:40 +0200 Subject: [PATCH 4/4] fix trailing spaces in values.yaml --- charts/netbox/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/netbox/values.yaml b/charts/netbox/values.yaml index 41f9b7fb..d200af7b 100644 --- a/charts/netbox/values.yaml +++ b/charts/netbox/values.yaml @@ -380,9 +380,9 @@ remoteAuth: # requireGroupDn: # - 'CN=Network Configuration Operators,CN=Builtin,DC=domain,dc=com' # - 'CN=Domain Admins,CN=Users,DC=domain,dc=com' - # isAdminDn: + # isAdminDn: # - 'CN=Domain Admins,CN=Users,DC=domain,dc=com' - # isSuperUserDn: + # isSuperUserDn: # - 'CN=Domain Admins,CN=Users,DC=domain,dc=com' # findGroupPerms: true # mirrorGroups: true