LDAP Documentation Enhancement #400

New Issue

adam · 2025-12-29T16:21:40+01:00

adam commented

2025-12-29 16:21:40 +01:00

Originally created by @iamdadmin on GitHub (Aug 31, 2016).

Referring to http://netbox.readthedocs.io/en/latest/installation/ldap/ the following section needs a little more explanation for people who come in cold and have no basis for what the group mappings mean.

User Groups for Permissions

"is_active" - you must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in.

"is_staff" - users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis.

"is_superuser" - users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions.

Some more notes, specific to Windows Server Active Directory.

The following option should be set to None when using Windows Server 2012.

AUTH_LDAP_USER_DN_TEMPLATE = None

When using Windows Server 2012 you may also need to specify a different port on the AUTH_LDAP_SERVER_URI - 3269 for secure, 3268 for non-secure

Server URI

AUTH_LDAP_SERVER_URI = "ldaps://my_server_or_ip:3269"

For this section, it would be good perhaps to link to the appropriate Django article to find a list of attributes. Sure, that's a bit let-me-google-that-for-you but it makes for a better read.

You can map user attributes to Django attributes as so.

AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn"
}

Originally created by @iamdadmin on GitHub (Aug 31, 2016). Referring to http://netbox.readthedocs.io/en/latest/installation/ldap/ the following section needs a little more explanation for people who come in cold and have no basis for what the group mappings mean. > # User Groups for Permissions > > "is_active" - you must map all users to at least this group if you want their account to be treated as enabled. Without this, your users cannot log in. > > "is_staff" - users mapped to this group are enabled for access to the Administration tools; this is the equivalent of checking the "Staff status" box on a manually created user. This doesn't necessarily imply additional privileges, which still needed to be assigned via a group, or on a per-user basis. > > "is_superuser" - users mapped to this group in addition to the "is_staff" group will be assumed to have full permissions to all modules. Without also being mapped to "is_staff", this group observably has no impact to your effective permissions. Some more notes, specific to Windows Server Active Directory. The following option should be set to None when using Windows Server 2012. > AUTH_LDAP_USER_DN_TEMPLATE = None When using Windows Server 2012 you may also need to specify a different port on the AUTH_LDAP_SERVER_URI - 3269 for secure, 3268 for non-secure > # Server URI > > AUTH_LDAP_SERVER_URI = "ldaps://my_server_or_ip:3269" For this section, it would be good perhaps to link to the appropriate Django article to find a list of attributes. Sure, that's a bit let-me-google-that-for-you but it makes for a better read. > # You can map user attributes to Django attributes as so. > > AUTH_LDAP_USER_ATTR_MAP = { > "first_name": "givenName", > "last_name": "sn" > }

adam added the type: documentation label 2025-12-29 16:21:40 +01:00

adam closed this issue

2025-12-29 16:21:40 +01:00

adam commented

2025-12-29 16:21:41 +01:00

@Mikecom32 commented on GitHub (Nov 30, 2016):

@marvnrawley Thank you for this. I couldn't figure out why my LDAP auth was failing, and changing the AUTH_LDAP_USER_DN_TEMPLATE setting to None fixed the problem (after trying a myriad of other things).

@Mikecom32 commented on GitHub (Nov 30, 2016): @marvnrawley Thank you for this. I couldn't figure out why my LDAP auth was failing, and changing the AUTH_LDAP_USER_DN_TEMPLATE setting to None fixed the problem (after trying a myriad of other things).

adam commented

2025-12-29 16:21:41 +01:00

@farewelldave commented on GitHub (Dec 1, 2016):

I want to add my thanks to these additional notes to help with LDAP setup!

I also wanted to mention that for some reason, it seems that if you are a member of the "is_active" and "is_superuser" groups but not the "is_staff" group, the Django Admin link at top right is not visible.

This was not extensively tested, but Chrome only seemed to show the Admin link if you were a member of "is_staff". Furthermore, if you were in "is_active" and "is_staff" but not in "is_superuser", you were able to see the link, but not actually perform any actions.

It would make sense to me to hide the Admin link, unless the user is a member of the "is_superuser" group.

(if I need to make this into a separate issue, let me know - or mod feel free to move)

@farewelldave commented on GitHub (Dec 1, 2016): I want to add my thanks to these additional notes to help with LDAP setup! I also wanted to mention that for some reason, it seems that if you are a member of the "is_active" and "is_superuser" groups but not the "is_staff" group, the Django Admin link at top right is not visible. This was not extensively tested, but Chrome only seemed to show the Admin link if you were a member of "is_staff". Furthermore, if you were in "is_active" and "is_staff" but not in "is_superuser", you were able to see the link, but not actually perform any actions. It would make sense to me to hide the Admin link, unless the user is a member of the "is_superuser" group. (if I need to make this into a separate issue, let me know - or mod feel free to move)

adam commented

2025-12-29 16:21:42 +01:00

@jeremystretch commented on GitHub (Mar 1, 2017):

Is anyone interested in submitting a PR for this?

@jeremystretch commented on GitHub (Mar 1, 2017): Is anyone interested in submitting a PR for this?

adam commented

2025-12-29 16:21:42 +01:00

@bellwood commented on GitHub (Apr 13, 2017):

PR made - if you don't like the usage of info blocks for the buffing please feel free to alter @jeremystretch

Thanks for the contribution @marvnrawley =)

@bellwood commented on GitHub (Apr 13, 2017): PR made - if you don't like the usage of info blocks for the buffing please feel free to alter @jeremystretch Thanks for the contribution @marvnrawley =)

adam commented

2025-12-29 16:21:42 +01:00

@jeremystretch commented on GitHub (Jun 8, 2017):

Merged #1080

@jeremystretch commented on GitHub (Jun 8, 2017): Merged #1080

Sign in to join this conversation.

Branches Tags

main

21102-fix-graphiql-explorer

update-changelog-comments-docs

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#400