Skip to content

Instantly share code, notes, and snippets.

@tsailiming
Last active September 28, 2020 17:00
Show Gist options
  • Save tsailiming/c63bb0b9416b1748fb1ef6e2d7b46924 to your computer and use it in GitHub Desktop.
Save tsailiming/c63bb0b9416b1748fb1ef6e2d7b46924 to your computer and use it in GitHub Desktop.
Configuring ldap with Ansible Tower 3.0.3
LOGGING['handlers']['tower_warnings']['level'] = 'DEBUG'
###############################################################################
# LDAP AUTHENTICATION SETTINGS
###############################################################################
# Ansible Tower can be configured to centrally use LDAP as a source for
# authentication information. When so configured, a user who logs in with
# a LDAP username and password will automatically get an account created for
# them, and they can be automatically placed into multiple organizations as
# either regular users or organization administrators. If users are created
# via an LDAP login, by default they cannot change their username, firstname,
# lastname, or set a local password for themselves. This is also tunable
# to restrict editing of other field names.
# For more information about these various settings, advanced users may refer
# to django-auth-ldap docs, though this should not be neccessary for most
# users: http://pythonhosted.org/django-auth-ldap/authentication.html
# Imports needed for LDAP configuration.
# do not alter this section
import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
from django_auth_ldap.config import ActiveDirectoryGroupType
# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disabled if
# this parameter is empty or your license does not enable LDAP support.
AUTH_LDAP_SERVER_URI = 'ldap://192.168.56.102:389'
# DN (Distinguished Name) of user to bind for all search queries. Normally in the format
# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as
# "DOMAIN\username" for Active Directory. This is the system user account
# we will use to login to query LDAP for other user information.
AUTH_LDAP_BIND_DN = 'CN=ldap_user,CN=Users,DC=ad,DC=example,DC=com'
# Password using to bind above user account.
AUTH_LDAP_BIND_PASSWORD = 'my-password'
# Whether to enable TLS when the LDAP connection is not using SSL.
AUTH_LDAP_START_TLS = False
# Additional options to set for the LDAP connection. LDAP referrals are
# disabled by default (to prevent certain LDAP queries from hanging with AD).
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0,
}
# LDAP search query to find users. Any user that matches the pattern
# below will be able to login to Tower. The user should also be mapped
# into an Tower organization (as defined later on in this file). If multiple
# search queries need to be supported use of "LDAPUnion" is possible. See
# python-ldap documentation as linked at the top of this section.
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'CN=Users,DC=ad,DC=example,DC=com', # Base DN
ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
'(sAMAccountName=%(user)s)', # Query
)
# Alternative to user search, if user DNs are all of the same format. This will be
# more efficient for lookups than the above system if it is usable in your organizational
# environment. If this setting has a value it will be used instead of AUTH_LDAP_USER_SEARCH
# above.
#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com'
# Mapping of LDAP user schema to Tower API user atrributes (key is user attribute name, value is LDAP
# attribute name). The default setting in this configuration file is valid for ActiveDirectory but
# users with other LDAP configurations may need to change the values (not the keys) of the dictionary/hash-table
# below.
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
}
# Users in Tower are mapped to organizations based on their membership in LDAP groups. The following setting defines
# the LDAP search query to find groups. Note that this, unlike the user search above, does not support LDAPSearchUnion.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
'CN=Users,DC=ad,DC=example,DC=com', # Base DN
ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
'(objectClass=group)', # Query
)
# The group type import may need to be changed based on the type of the LDAP server.
# Values are listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
# Group DN required to login. If specified, user must be a member of this
# group to login via LDAP. If not set, everyone in LDAP that matches the
# user search defined above will be able to login via Tower. Only one
# require group is supported.
AUTH_LDAP_REQUIRE_GROUP = 'CN=tower,CN=Users,DC=ad,DC=example,DC=com'
# Group DN denied from login. If specified, user will not be allowed to login
# if a member of this group. Only one deny group is supported.
#AUTH_LDAP_DENY_GROUP = ''
# User profile flags updated from group membership (key is user attribute name,
# value is group DN). These are boolean fields that are matched based on
# whether the user is a member of the given group. So far only is_superuser
# is settable via this method. This flag is set both true and false at login
# time based on current LDAP settings.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
}
# Mapping between organization admins/users and LDAP groups. This controls what
# users are placed into what Tower organizations relative to their LDAP group
# memberships. Keys are organization names. Organizations will be created if not present.
# Values are dictionaries defining the options for each organization's membership. For each organization
# it is possible to specify what groups are automatically users of the organization and also what
# groups can administer the organization.
#
# - admins: None, True/False, string or list/tuple of strings.
# If None, organization admins will not be updated based on LDAP values.
# If True, all users in LDAP will automatically be added as admins of the organization.
# If False, no LDAP users will be automatically added as admins of the organiation.
# If a string or list of strings, specifies the group DN(s) that will be added of the organization if they match
# any of the specified groups.
# - remove_admins: True/False. Defaults to True.
# If True, a user who is not an member of the given groups will be removed from the organization's administrative list.
# - users: None, True/False, string or list/tuple of strings. Same rules apply
# as for admins.
# - remove_users: True/False. Defaults to True. Same rules as apply for remove_admins
AUTH_LDAP_ORGANIZATION_MAP = {
'Product': {
'admins': ['CN=product_admin,CN=Users,DC=ad,DC=example,DC=com'],
'users': ['CN=product,CN=Users,DC=ad,DC=example,DC=com']
}
#'Test Org': {
# 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
# 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'],
# 'remove_users' : True,
# 'remove_admins' : True,
#},
#'Test Org 2': {
# 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'],
# 'users': True,
# 'remove_users' : True,
# 'remove_admins' : True,
#},
}
# Mapping between team members (users) and LDAP groups. Keys are team names
# (will be created if not present). Values are dictionaries of options for
# each team's membership, where each can contain the following parameters:
# - organization: string. The name of the organization to which the team
# belongs. The team will be created if the combination of organization and
# team name does not exist. The organization will first be created if it
# does not exist.
# - users: None, True/False, string or list/tuple of strings.
# If None, team members will not be updated.
# If True/False, all LDAP users will be added/removed as team members.
# If a string or list of strings, specifies the group DN(s). User will be
# added as a team member if the user is a member of ANY of these groups.
# - remove: True/False. Defaults to False. If True, a user who is not a member
# of the given groups will be removed from the team.
AUTH_LDAP_TEAM_MAP = {
'Dev': {
'organization': 'Product',
'users': ['CN=dev,CN=Users,DC=ad,DC=example,DC=com']
},
'QA': {
'organization': 'Product',
'users': ['CN=qa,CN=Users,DC=ad,DC=example,DC=com']
},
'Release': {
'organization': 'Product',
'users': ['CN=release,CN=Users,DC=ad,DC=example,DC=com']
},
#'My Team': {
# 'organization': 'Test Org',
# 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'],
# 'remove': True,
#},
#'Other Team': {
# 'organization': 'Test Org 2',
# 'users': 'CN=Other Users,CN=Users,DC=example,DC=com',
# 'remove': False,
#},
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment