summaryrefslogtreecommitdiffstats
path: root/config/deb/settings.py
diff options
context:
space:
mode:
authorChris Church <chris@ninemoreminutes.com>2013-09-09 23:20:43 +0200
committerChris Church <chris@ninemoreminutes.com>2013-09-09 23:20:48 +0200
commitcad3612a8ff2a41f1ebeaac4f9123a36b2fdb002 (patch)
treef3b34f24fc2fa5722098408174d93805bb2d7e0f /config/deb/settings.py
parentFixed js error that stopped login dialog from rendering in FF. (diff)
downloadawx-cad3612a8ff2a41f1ebeaac4f9123a36b2fdb002.tar.xz
awx-cad3612a8ff2a41f1ebeaac4f9123a36b2fdb002.zip
AC-156. Implement LDAP organization mapping, update settings files and comments on LDAP configuration.
Diffstat (limited to 'config/deb/settings.py')
-rw-r--r--config/deb/settings.py138
1 files changed, 110 insertions, 28 deletions
diff --git a/config/deb/settings.py b/config/deb/settings.py
index 015d074de3..106923af11 100644
--- a/config/deb/settings.py
+++ b/config/deb/settings.py
@@ -1,3 +1,7 @@
+###############################################################################
+# MISC PROJECT SETTINGS
+###############################################################################
+
ADMINS = (
#('Joe Admin', 'joeadmin@example.com'),
)
@@ -32,19 +36,13 @@ SECRET_KEY = file('/etc/awx/SECRET_KEY', 'rb').read().strip()
ALLOWED_HOSTS = ['*']
-LOGGING['handlers']['syslog'] = {
- # ERROR captures 500 errors, WARNING also logs 4xx responses.
- 'level': 'ERROR',
- 'filters': ['require_debug_false'],
- 'class': 'logging.handlers.SysLogHandler',
- 'address': '/dev/log',
- 'facility': 'local0',
- 'formatter': 'simple',
-}
-
AWX_TASK_ENV['HOME'] = '/var/lib/awx'
AWX_TASK_ENV['USER'] = 'awx'
+###############################################################################
+# EMAIL SETTINGS
+###############################################################################
+
SERVER_EMAIL = 'root@localhost'
DEFAULT_FROM_EMAIL = 'webmaster@localhost'
EMAIL_SUBJECT_PREFIX = '[AnsibleWorks] '
@@ -55,30 +53,114 @@ EMAIL_HOST_USER = ''
EMAIL_HOST_PASSWORD = ''
EMAIL_USE_TLS = False
-# LDAP connection and authentication settings. Refer to django-auth-ldap docs:
+###############################################################################
+# LOGGING SETTINGS
+###############################################################################
+
+LOGGING['handlers']['syslog'] = {
+ # ERROR captures 500 errors, WARNING also logs 4xx responses.
+ 'level': 'ERROR',
+ 'filters': ['require_debug_false'],
+ 'class': 'logging.handlers.SysLogHandler',
+ 'address': '/dev/log',
+ 'facility': 'local0',
+ 'formatter': 'simple',
+}
+
+###############################################################################
+# LDAP AUTHENTICATION SETTINGS
+###############################################################################
+
+# Refer to django-auth-ldap docs for more details:
# http://pythonhosted.org/django-auth-ldap/authentication.html
+# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
+# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disable if this
+# parameter is empty.
AUTH_LDAP_SERVER_URI = ''
+
+# DN of user to bind for all search queries. Normally in the format
+# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as
+# "DOMAIN\username" for Active Directory.
AUTH_LDAP_BIND_DN = ''
+
+# Password using to bind above user account.
AUTH_LDAP_BIND_PASSWORD = ''
+
+# Enable TLS when the connection is not using SSL.
AUTH_LDAP_START_TLS = False
-#import ldap
-#from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
+# Imports needed for remaining LDAP configuration.
+import ldap
+from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
+from django_auth_ldap.config import ActiveDirectoryGroupType
# LDAP search query to find users.
-#AUTH_LDAP_USER_SEARCH = LDAPSearch(
-# 'OU=Users,DC=example,DC=com',
-# ldap.SCOPE_SUBTREE,
-# '(sAMAccountName=%(user)s)',
-#)
-
-# Alternative to user search.
-#AUTH_LDAP_USER_DN_TEMPLATE = 'sAMAccountName=%(user)s,OU=Users,DC=example,DC=com'
-
-# Mapping of LDAP attributes to user attributes.
-#AUTH_LDAP_USER_ATTR_MAP = {
-# 'first_name': 'givenName',
-# 'last_name': 'sn',
-# 'email': 'mail',
-#}
+AUTH_LDAP_USER_SEARCH = LDAPSearch(
+ 'OU=Users,DC=example,DC=com', # Base DN
+ ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
+ '(sAMAccountName=%(user)s)', # Query
+)
+
+# Alternative to user search, if user DNs are all of the same format.
+#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com'
+
+# Mapping of LDAP to user atrributes (key is user attribute name, value is LDAP
+# attribute name).
+AUTH_LDAP_USER_ATTR_MAP = {
+ 'first_name': 'givenName',
+ 'last_name': 'sn',
+ 'email': 'mail',
+}
+
+# LDAP search query to find groups. Does not support LDAPSearchUnion.
+AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
+ 'DC=example,DC=com', # Base DN
+ ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
+ '(objectClass=group)', # Query
+)
+# Type of group returned by the search above. Should be one of the types
+# listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups
+AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
+
+# Group DN required to login. If specified, user must be a member of this
+# group to login via LDAP.
+AUTH_LDAP_REQUIRE_GROUP = ''
+
+# Group DN denied from login. If specified, user will not be allowed to login
+# if a member of this group.
+AUTH_LDAP_DENY_GROUP = ''
+
+# User profile flags updated from group membership (key is user attribute name,
+# value is group DN).
+AUTH_LDAP_USER_FLAGS_BY_GROUP = {
+ #'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
+}
+
+# Mapping between organization admins/users and LDAP groups. Keys are
+# organization names (will be created if not present). Values are dictionaries
+# of options for each organization's membership, where each can contain the
+# following parameters:
+# - remove: True/False. Defaults to False. Specifies the default for
+# remove_admins or remove_users if those parameters aren't explicitly set.
+# - admins: None, True/False, string or list/tuple of strings.
+# If None, organization admins will not be updated.
+# If True/False, all LDAP users will be added/removed as admins.
+# If a string or list of strings, specifies the group DN(s). User will be
+# added as an org admin if the user is a member of ANY of these groups.
+# - remove_admins: True/False. Defaults to False. If True, a user who is not an
+# member of the given groups will be removed from the organization's admins.
+# - users: None, True/False, string or list/tuple of strings. Same rules apply
+# as for admins.
+# - remove_users: True/False. Defaults to False. If True, a user who is not a
+# member of the given groups will be removed from the organization's users.
+AUTH_LDAP_ORGANIZATION_MAP = {
+ #'Test Org': {
+ # 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
+ # 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'],
+ #},
+ #'Test Org 2': {
+ # 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'],
+ # 'users': True,
+ #},
+}