1
0
Fork 0
mirror of https://github.com/retspen/webvirtcloud synced 2024-12-24 23:25:24 +00:00

Add new template config and README blocks

This commit is contained in:
Amélie Krejčí 2023-09-11 21:39:05 +02:00
parent 74ee2c073a
commit 561fedfccd
No known key found for this signature in database
GPG key ID: 65B7BB4B1A0D9402
2 changed files with 73 additions and 57 deletions

View file

@ -385,55 +385,73 @@ python manage.py test
## LDAP Configuration ## LDAP Configuration
The example settings are based on an OpenLDAP server with groups defined as "cn" of class "groupOfUniqueNames" The config options below can be changed in `webvirtcloud/settings.py` file. Variants for Active Directory and OpenLDAP are shown. This is a minimal config to get LDAP running, for further info read the [django-auth-ldap documentation](https://django-auth-ldap.readthedocs.io).
Enable LDAP Enable LDAP
```bash ```bash
sudo sed -i "s/LDAP_ENABLED = False/LDAP_ENABLED = True/g"" /srv/webvirtcloud/webvirtcloud/settings.py sudo sed -i "s~#\"django_auth_ldap.backend.LDAPBackend\",~\"django_auth_ldap.backend.LDAPBackend\",~g" /srv/webvirtcloud/webvirtcloud/settings.py
``` ```
Set the LDAP server name and root DN Set the LDAP server name and bind DN
```bash ```python
sudo sed -i "s/LDAP_URL = ''/LDAP_URL = 'myldap.server.com'/g"" /srv/webvirtcloud/webvirtcloud/settings.py # Active Directory
sudo sed -i "s/LDAP_ROOT_DN = ''/LDAP_ROOT_DN = 'dc=server,dc=com'/g"" /srv/webvirtcloud/webvirtcloud/settings.py AUTH_LDAP_SERVER_URI = "ldap://example.com"
AUTH_LDAP_BIND_DN = "username@example.com"
AUTH_LDAP_BIND_PASSWORD = "password"
# OpenLDAP
AUTH_LDAP_SERVER_URI = "ldap://example.com"
AUTH_LDAP_BIND_DN = "CN=username,CN=Users,OU=example,OU=com"
AUTH_LDAP_BIND_PASSWORD = "password"
``` ```
Set the passphrase to decrypt the password Set the user filter and user and group search base and filter
```bash
sudo sed -i "s/pass:MYPASSPHRASE/pass:MYTRUEPASSPHRASE/g" /srv/webvirtcloud/webvirtcloud/.dec_ldap_pwd.sh ```python
# Active Directory
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"CN=Users,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"CN=Users,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(objectClass=group)"
)
AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
# OpenLDAP
AUTH_LDAP_USER_SEARCH = LDAPSearch(
"CN=Users,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(cn=%(user)s)"
)
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
"CN=Users,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(objectClass=groupOfUniqueNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType() # import needs to be changed at the top of settings.py
``` ```
Encrypt the password Set group which is required to access WebVirtCloud. You may set this to `False` to disable this filter.
```bash
echo MYPASSWORD | openssl enc -pbkdf2 -salt -pass pass:MYTRUEPASSPHRASE | base64 ```python
AUTH_LDAP_REQUIRE_GROUP = "CN=WebVirtCloud Access,CN=Users,DC=example,DC=com"
``` ```
Set the user that has browse access to LDAP and its password encrypted Populate user fields with values from LDAP
```bash ```python
sudo sed -i "s/LDAP_MASTER_DN = ''/LDAP_MASTER_DN = 'cn=admin,ou=users,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py AUTH_LDAP_USER_FLAGS_BY_GROUP = {
sudo sed -i "s/LDAP_MASTER_PW_ENC = ''/LDAP_MASTER_PW_ENC = 'MYPASSWORDENCRYPTED'/g"" /srv/webvirtcloud/webvirtcloud/settings.py "is_staff": "CN=WebVirtCloud Staff,CN=Users,DC=example,DC=com",
"is_superuser": "CN=WebVirtCloud Admins,CN=Users,DC=example,DC=com",
}
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
}
``` ```
Set the attribute that will be used to find the username, i usually use the cn Now when you login with an LDAP user it will be assigned the rights defined. The user will be authenticated then with LDAP and authorized through the WebVirtCloud permissions.
```bash If you'd like to move a user from ldap to WebVirtCloud, just change its password from the UI and (eventually) remove from the group in LDAP.
sudo sed -i "s/LDAP_USER_UID_PREFIX = ''/LDAP_USER_UID_PREFIX = 'cn'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
```
You can now create the filters to retrieve the users for the various group. This will be used during the user creation only
```bash
sudo sed -i "s/LDAP_SEARCH_GROUP_FILTER_ADMINS = ''/LDAP_SEARCH_GROUP_FILTER_ADMINS = 'memberOf=cn=admins,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
sudo sed -i "s/LDAP_SEARCH_GROUP_FILTER_STAFF = ''/LDAP_SEARCH_GROUP_FILTER_STAFF = 'memberOf=cn=staff,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
sudo sed -i "s/LDAP_SEARCH_GROUP_FILTER_USERS = ''/LDAP_SEARCH_GROUP_FILTER_USERS = 'memberOf=cn=users,dc=kendar,dc=org'/g"" /srv/webvirtcloud/webvirtcloud/settings.py
```
Now when you login with an LDAP user it will be assigned the rights defined. The user will be authenticated then with ldap and authorized through the WebVirtCloud permissions.
If you'd like to move a user from ldap to WebVirtCloud, just change its password from the UI and (eventually) remove from the group in ldap
## REST API / BETA ## REST API / BETA

View file

@ -3,7 +3,9 @@ Django settings for webvirtcloud project.
""" """
import ldap
import subprocess import subprocess
from django_auth_ldap.config import LDAPSearch, NestedActiveDirectoryGroupType
from pathlib import Path from pathlib import Path
# Build paths inside the project like this: BASE_DIR / 'subdir'. # Build paths inside the project like this: BASE_DIR / 'subdir'.
@ -101,7 +103,7 @@ DATABASES = {
AUTHENTICATION_BACKENDS = [ AUTHENTICATION_BACKENDS = [
"django.contrib.auth.backends.ModelBackend", "django.contrib.auth.backends.ModelBackend",
"webvirtcloud.ldapbackend.LdapAuthenticationBackend", #"django_auth_ldap.backend.LDAPBackend",
] ]
LOGIN_URL = "/accounts/login/" LOGIN_URL = "/accounts/login/"
@ -280,27 +282,23 @@ EMAIL_HOST_PASSWORD = ''
# LDAP Config # LDAP Config
# #
LDAP_ENABLED = False AUTH_LDAP_SERVER_URI = "ldap://example.com"
LDAP_URL = '' AUTH_LDAP_BIND_DN = "username@example.com"
LDAP_PORT = 389 AUTH_LDAP_BIND_PASSWORD = "password"
USE_SSL = False AUTH_LDAP_USER_SEARCH = LDAPSearch(
## The user with search rights on ldap. (e.g cn=admin,dc=kendar,dc=org) "CN=Users,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(sAMAccountName=%(user)s)"
LDAP_MASTER_DN = '' )
LDAP_MASTER_PW_ENC = '' AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
LDAP_MASTER_PW = subprocess.Popen(["bash", str(BASE_DIR) + "/webvirtcloud/.dec_ldap_pwd.sh", LDAP_MASTER_PW_ENC],stdout=subprocess.PIPE, encoding='utf8').stdout.read().strip('\n') "CN=Users,DC=example,DC=com", ldap.SCOPE_SUBTREE, "(objectClass=group)"
## The root dn (e.g. dc=kendar,dc=org) )
LDAP_ROOT_DN = '' AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType()
## Queries to identify the users, i use groupOfUniqueNames on openldap AUTH_LDAP_REQUIRE_GROUP = "CN=WebVirtCloud Access,CN=Users,DC=example,DC=com"
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
### PLEASE BE SURE memberOf overlay is activated on slapd "is_staff": "CN=WebVirtCloud Staff,CN=Users,DC=example,DC=com",
## e.g. memberOf=cn=admins,cn=staff,cn=technicians,cn=webvirtcloud,ou=groups,dc=kendar,dc=org "is_superuser": "CN=WebVirtCloud Admins,CN=Users,DC=example,DC=com",
LDAP_SEARCH_GROUP_FILTER_ADMINS = '' }
## e.g. memberOf=cn=staff,cn=technicians,cn=webvirtcloud,ou=groups,dc=kendar,dc=org AUTH_LDAP_USER_ATTR_MAP = {
LDAP_SEARCH_GROUP_FILTER_STAFF = '' "first_name": "givenName",
## e.g. memberOf=cn=technicians,cn=webvirtcloud,ou=groups,dc=kendar,dc=org "last_name": "sn",
LDAP_SEARCH_GROUP_FILTER_TECHNICIANS = '' "email": "mail",
## e.g. memberOf=cn=webvirtcloud,ou=groups,dc=kendar,dc=org }
LDAP_SEARCH_GROUP_FILTER_USERS = ''
## The user name prefix to identify the user name (e.g. cn)
LDAP_USER_UID_PREFIX = ''