starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Remote users (LDAP backend) with limited rights lost ability to use RestAPI #8179

New Issue
Closed
opened 2025-12-29 20:33:31 +01:00 by adam · 4 comments
adam commented 2025-12-29 20:33:31 +01:00
Owner
Copy Link

Originally created by @stavr666 on GitHub (Jun 9, 2023).

Originally assigned to: @rmanyari on GitHub.

NetBox version

v3.5.3

Python version

3.10

Steps to Reproduce

Perquisite

configuration.py contains:

REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}

ldap_config.py contains:

AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_MIRROR_GROUPS = False
AUTH_LDAP_FIND_GROUP_PERMS = True

can add full files with masked data paths, if needed.

Our config allow us to have users with rights, assigned by AD group membership. But when checking django group membership, there is none (we ok with it, we have no issues before):
image
If we tun on mirroring, whole bunch 10th thousands groups from AD will be loaded to netbox.

Issue steps

  1. Add one user (Bob) to admin and staff groups, another (Alice) to access group.
  2. Create permissions to view anything (or some limited list of objects, we have both scenario) and assign them to Alice.
  3. Both Bob and Alice can login to UI and view any objects.
  4. Create 2 (read-only in our case) tokens, one for Alice, other for Bob.

Expected Behavior

Tokens must work anywhere and return any data for both users.

Observed Behavior

Both users can use UI, /api/ and /api/schema/swagger-ui/ endpoints while logged in.

Both of them also receive correct answer in Swager, with token used (it's ignored, likely, coz return correct answer with wrong token).

Outside of Netbox app (from Curl, PoSh, Grafana requests) it returns "You do not have permission to perform this action." error.

image

Problem not existed in 3.0 and 3.1. I used several accounts in Grafana tests before moving Netbox to production, it worked.

Now I must explicitly define group membership of user for API only.

Originally created by @stavr666 on GitHub (Jun 9, 2023). Originally assigned to: @rmanyari on GitHub. ### NetBox version v3.5.3 ### Python version 3.10 ### Steps to Reproduce **Perquisite** **configuration.py** contains: ``` REMOTE_AUTH_ENABLED = True REMOTE_AUTH_BACKEND = 'netbox.authentication.LDAPBackend' REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER' REMOTE_AUTH_AUTO_CREATE_USER = True REMOTE_AUTH_DEFAULT_GROUPS = [] REMOTE_AUTH_DEFAULT_PERMISSIONS = {} ``` ldap_config.py contains: ``` AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_MIRROR_GROUPS = False AUTH_LDAP_FIND_GROUP_PERMS = True ``` _can add full files with masked data paths, if needed._ Our config allow us to have users with rights, assigned by AD group membership. But when checking django group membership, there is none (we ok with it, we have no issues before): ![image](https://github.com/netbox-community/netbox/assets/84839985/a7270505-8afe-470c-ba92-554f6fd474e5) If we tun on mirroring, whole bunch 10th thousands groups from AD will be loaded to netbox. **Issue steps** 1. Add one user (Bob) to admin and staff groups, another (Alice) to access group. 2. Create permissions to view anything (or some limited list of objects, we have both scenario) and assign them to Alice. 3. Both Bob and Alice can login to UI and view any objects. 4. Create 2 (read-only in our case) tokens, one for Alice, other for Bob. ### Expected Behavior Tokens must work anywhere and return any data for both users. ### Observed Behavior Both users can use UI, /api/ and /api/schema/swagger-ui/ endpoints while logged in. Both of them also receive correct answer in Swager, with token used (it's ignored, likely, coz return correct answer with wrong token). Outside of Netbox app (from Curl, PoSh, Grafana requests) it returns "You do not have permission to perform this action." error. ![image](https://github.com/netbox-community/netbox/assets/84839985/1b773c55-37b6-42c1-a504-558d854246f7) **Problem not existed in 3.0 and 3.1**. I used several accounts in Grafana tests before moving Netbox to production, it worked. Now I must explicitly define group membership of user for API only.
adam added the type: bugstatus: accepted labels 2025-12-29 20:33:31 +01:00
adam closed this issue 2025-12-29 20:33:31 +01:00
adam commented 2025-12-29 20:33:31 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Jun 12, 2023):

See https://github.com/netbox-community/netbox/discussions/12858#discussioncomment-6148488

To verify the cause, please try to install django-auth-ldap==4.1.0

@kkthxbye-code commented on GitHub (Jun 12, 2023): See https://github.com/netbox-community/netbox/discussions/12858#discussioncomment-6148488 To verify the cause, please try to install django-auth-ldap==4.1.0
adam commented 2025-12-29 20:33:31 +01:00
Author
Owner
Copy Link

@desnoe commented on GitHub (Jun 22, 2023):

See #12858 (reply in thread)

To verify the cause, please try to install django-auth-ldap==4.1.0

Hello, I tried using django-auth-ldap==4.1.0. Same behaviour as with 4.3.0.

@desnoe commented on GitHub (Jun 22, 2023): > See [#12858 (reply in thread)](https://github.com/netbox-community/netbox/discussions/12858#discussioncomment-6148488) > > To verify the cause, please try to install django-auth-ldap==4.1.0 Hello, I tried using django-auth-ldap==4.1.0. Same behaviour as with 4.3.0.
adam commented 2025-12-29 20:33:32 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Jun 26, 2023):

@rmanyari - figured out what's wrong in the linked duplicate issue above. When he responds here, he should be assigned this issue.

@kkthxbye-code commented on GitHub (Jun 26, 2023): @rmanyari - figured out what's wrong in the linked duplicate issue above. When he responds here, he should be assigned this issue.
adam commented 2025-12-29 20:33:32 +01:00
Author
Owner
Copy Link

@rmanyari commented on GitHub (Jun 26, 2023):

Happy to contribute, feel free to assign this to me

@rmanyari commented on GitHub (Jun 26, 2023): Happy to contribute, feel free to assign this to me
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#8179
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?