AC-156. Implement LDAP organization mapping, update settings files and comments on LDAP configuration.

2026-03-22 11:25:08 -02:30 · 2013-09-09 17:20:43 -04:00
parent b363c71137
commit cad3612a8f
6 changed files with 543 additions and 90 deletions
--- a/awx/settings/local_settings.py.example
+++ b/awx/settings/local_settings.py.example
@@ -4,6 +4,10 @@
 # Local Django settings for AWX project.  Rename to "local_settings.py" and
 # edit as needed for your development environment.

+###############################################################################
+# MISC PROJECT SETTINGS
+###############################################################################
+
 ADMINS = (
    # ('Your Name', 'your_email@domain.com'),
 )
@@ -60,32 +64,13 @@ SECRET_KEY = 'p7z7g1ql4%6+(6nlebb6hdk7sd^&fnjpal308%n%+p^_e6vo1y'
 # reverse proxy.
 REMOTE_HOST_HEADERS = ['REMOTE_ADDR', 'REMOTE_HOST']

-# LDAP connection and authentication settings.  Refer to django-auth-ldap docs:
-# http://pythonhosted.org/django-auth-ldap/authentication.html
-AUTH_LDAP_SERVER_URI = ''
-AUTH_LDAP_BIND_DN = ''
-AUTH_LDAP_BIND_PASSWORD = ''
-AUTH_LDAP_START_TLS = False
+# Define additional environment variables to be passed to subprocess started by
+# the celery task.
+#AWX_TASK_ENV['FOO'] = 'BAR'

-import ldap
-from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
-
-# LDAP search query to find users.
-AUTH_LDAP_USER_SEARCH = LDAPSearch(
-    'OU=Users,DC=example,DC=com',
-    ldap.SCOPE_SUBTREE,
-    '(sAMAccountName=%(user)s)',
-)
-
-# Alternative to user search.
-#AUTH_LDAP_USER_DN_TEMPLATE = 'sAMAccountName=%(user)s,OU=Users,DC=example,DC=com'
-
-# Mapping of LDAP attributes to user attributes.
-AUTH_LDAP_USER_ATTR_MAP = {
-    'first_name': 'givenName',
-    'last_name': 'sn',
-    'email': 'mail',
-}
+###############################################################################
+# EMAIL SETTINGS
+###############################################################################

 # Email address that error messages come from.
 SERVER_EMAIL = 'root@localhost'
@@ -115,6 +100,10 @@ DEFAULT_FROM_EMAIL = 'webmaster@localhost'
 # or ...mail_managers.  Make sure to include the trailing space.
 EMAIL_SUBJECT_PREFIX = '[AWX] '

+###############################################################################
+# LOGGING SETTINGS
+###############################################################################
+
 # Enable logging to syslog. Setting level to ERROR captures 500 errors,
 # WARNING also logs 4xx responses.
 LOGGING['handlers']['syslog'] = {
@@ -142,9 +131,107 @@ LOGGING['handlers']['syslog'] = {
 #LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
 #LOGGING['loggers']['django_auth_ldap']['level'] = 'DEBUG'

-# Define additional environment variables to be passed to subprocess started by
-# the celery task.
-#AWX_TASK_ENV['FOO'] = 'BAR'
+###############################################################################
+# LDAP AUTHENTICATION SETTINGS
+###############################################################################
+
+# Refer to django-auth-ldap docs for more details:
+# http://pythonhosted.org/django-auth-ldap/authentication.html
+
+# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
+# "ldaps://ldap.example.com:636" (SSL).  LDAP authentication is disable if this
+# parameter is empty.
+AUTH_LDAP_SERVER_URI = ''
+
+# DN of user to bind for all search queries. Normally in the format
+# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as
+# "DOMAIN\username" for Active Directory.
+AUTH_LDAP_BIND_DN = ''
+
+# Password using to bind above user account.
+AUTH_LDAP_BIND_PASSWORD = ''
+
+# Enable TLS when the connection is not using SSL.
+AUTH_LDAP_START_TLS = False
+
+# Imports needed for remaining LDAP configuration.
+import ldap
+from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
+from django_auth_ldap.config import ActiveDirectoryGroupType
+
+# LDAP search query to find users.
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+    'OU=Users,DC=example,DC=com',   # Base DN
+    ldap.SCOPE_SUBTREE,             # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
+    '(sAMAccountName=%(user)s)',    # Query
+)
+
+# Alternative to user search, if user DNs are all of the same format.
+#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com'
+
+# Mapping of LDAP to user atrributes (key is user attribute name, value is LDAP
+# attribute name).
+AUTH_LDAP_USER_ATTR_MAP = {
+    'first_name': 'givenName',
+    'last_name': 'sn',
+    'email': 'mail',
+}
+
+# LDAP search query to find groups. Does not support LDAPSearchUnion.
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+    'DC=example,DC=com',    # Base DN
+    ldap.SCOPE_SUBTREE,     # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
+    '(objectClass=group)',  # Query
+)
+# Type of group returned by the search above. Should be one of the types
+# listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups
+AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
+
+# Group DN required to login. If specified, user must be a member of this
+# group to login via LDAP.
+AUTH_LDAP_REQUIRE_GROUP = ''
+
+# Group DN denied from login. If specified, user will not be allowed to login
+# if a member of this group.
+AUTH_LDAP_DENY_GROUP = ''
+
+# User profile flags updated from group membership (key is user attribute name,
+# value is group DN).
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    #'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
+}
+
+# Mapping between organization admins/users and LDAP groups. Keys are
+# organization names (will be created if not present). Values are dictionaries
+# of options for each organization's membership, where each can contain the
+# following parameters:
+# - remove: True/False. Defaults to False. Specifies the default for
+#   remove_admins or remove_users if those parameters aren't explicitly set.
+# - admins: None, True/False, string or list/tuple of strings.
+#   If None, organization admins will not be updated.
+#   If True/False, all LDAP users will be added/removed as admins.
+#   If a string or list of strings, specifies the group DN(s). User will be
+#   added as an org admin if the user is a member of ANY of these groups.
+# - remove_admins: True/False. Defaults to False. If True, a user who is not an
+#   member of the given groups will be removed from the organization's admins.
+# - users: None, True/False, string or list/tuple of strings. Same rules apply
+#   as for admins.
+# - remove_users: True/False. Defaults to False. If True, a user who is not a
+#   member of the given groups will be removed from the organization's users.
+AUTH_LDAP_ORGANIZATION_MAP = {
+    #'Test Org': {
+    #    'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
+    #    'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'],
+    #},
+    #'Test Org 2': {
+    #    'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'],
+    #    'users': True,
+    #},
+}
+
+###############################################################################
+# SCM TEST SETTINGS
+###############################################################################

 # Define these variables to enable more complete testing of project support for
 # SCM updates.
@@ -173,9 +260,13 @@ TEST_SVN_PASSWORD = ''
 TEST_SVN_PUBLIC_HTTPS = 'https://github.com/ansible/ansible-examples'
 TEST_SVN_PRIVATE_HTTPS = 'https://github.com/ansible/ansible-doc'

+###############################################################################
+# LDAP TEST SETTINGS
+###############################################################################
+
 # LDAP connection and authentication settings for unit tests only.  LDAP tests
-# will be skipped if not configured. Refer to django-auth-ldap docs:
-# http://pythonhosted.org/django-auth-ldap/authentication.html
+# will be skipped if TEST_AUTH_LDAP_SERVER_URI is not configured.
+
 TEST_AUTH_LDAP_SERVER_URI = ''
 TEST_AUTH_LDAP_BIND_DN = ''
 TEST_AUTH_LDAP_BIND_PASSWORD = ''
@@ -187,13 +278,13 @@ TEST_AUTH_LDAP_PASSWORD = ''

 # LDAP search query to find users.
 TEST_AUTH_LDAP_USER_SEARCH = LDAPSearch(
-    'OU=Users,DC=example,DC=com',
+    'CN=Users,DC=example,DC=com',
    ldap.SCOPE_SUBTREE,
    '(sAMAccountName=%(user)s)',
 )

 # Alternative to user search.
-TEST_AUTH_LDAP_USER_DN_TEMPLATE = 'sAMAccountName=%(user)s,OU=Users,DC=example,DC=com'
+#TEST_AUTH_LDAP_USER_DN_TEMPLATE = 'sAMAccountName=%(user)s,OU=Users,DC=example,DC=com'

 # Mapping of LDAP attributes to user attributes.
 TEST_AUTH_LDAP_USER_ATTR_MAP = {
@@ -201,3 +292,68 @@ TEST_AUTH_LDAP_USER_ATTR_MAP = {
    'last_name': 'sn',
    'email': 'mail',
 }
+
+# LDAP search query for finding groups.
+TEST_AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+    'DC=example,DC=com',
+    ldap.SCOPE_SUBTREE,
+    '(objectClass=group)',
+)
+# Type of group returned by the search above.
+TEST_AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
+
+# Test DNs for a group required to login.  User should be a member of the first
+# group, but not a member of the second.
+TEST_AUTH_LDAP_REQUIRE_GROUP = 'CN=Domain Admins,CN=Users,DC=example,DC=com'
+TEST_AUTH_LDAP_REQUIRE_GROUP_FAIL = 'CN=Guest,CN=Users,DC=example,DC=com'
+
+# Test DNs for a group denied from login.  User should not be a member of the
+# first group, but should be a member of the second.
+TEST_AUTH_LDAP_DENY_GROUP = 'CN=Guest,CN=Users,DC=example,DC=com'
+TEST_AUTH_LDAP_DENY_GROUP_FAIL = 'CN=Domain Admins,CN=Users,DC=example,DC=com'
+
+# User profile flags updated from group membership.  Test user should be a
+# member of the group.
+TEST_AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+    'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
+}
+
+# Test mapping between organization admins/users and LDAP groups.
+TEST_AUTH_LDAP_ORGANIZATION_MAP = {
+    'Test Org': {
+        'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
+        'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'],
+    },
+    'Test Org 2': {
+        'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'],
+        'users': True,
+    },
+}
+# Expected results from organization mapping.  After login, should user be an
+# admin/user in the given organization?
+TEST_AUTH_LDAP_ORGANIZATION_MAP_RESULT = {
+    'Test Org': {'admins': True, 'users': False},
+    'Test Org 2': {'admins': False, 'users': True},
+}
+
+# Second test mapping to test remove parameters.
+TEST_AUTH_LDAP_ORGANIZATION_MAP_2 = {
+    'Test Org': {
+        'admins': 'CN=Domain Users,CN=Users,DC=example,DC=com',
+        'users': True,
+        'remove_admins': True,
+        'remove_users': False,
+    },
+    'Test Org 2': {
+        'admins': ['CN=Domain Admins,CN=Users,DC=example,DC=com',
+                   'CN=Administrators,CN=Builtin,DC=example,DC=com'],
+        'users': False,
+        'remove': True,
+    },
+}
+
+# Expected results from second organization mapping.
+TEST_AUTH_LDAP_ORGANIZATION_MAP_2_RESULT = {
+    'Test Org': {'admins': False, 'users': True},
+    'Test Org 2': {'admins': True, 'users': False},
+}