summaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorMichael DeHaan <michael@ansibleworks.com>2013-09-12 21:08:46 +0200
committerMichael DeHaan <michael@ansibleworks.com>2013-09-12 21:08:46 +0200
commit9ed555379db8ba368b577ea303c3cec0035c44d4 (patch)
tree0cf6130660e6c563de02b025f6bcbdb51f5b8383 /config
parentChanged project updates to use -v instead of -vvv. (diff)
downloadawx-9ed555379db8ba368b577ea303c3cec0035c44d4.tar.xz
awx-9ed555379db8ba368b577ea303c3cec0035c44d4.zip
Add comments to LDAP settings
Diffstat (limited to 'config')
-rw-r--r--config/deb/settings.py107
-rw-r--r--config/rpm/settings.py107
2 files changed, 154 insertions, 60 deletions
diff --git a/config/deb/settings.py b/config/deb/settings.py
index 318de15b02..f51acaab92 100644
--- a/config/deb/settings.py
+++ b/config/deb/settings.py
@@ -71,96 +71,143 @@ LOGGING['handlers']['syslog'] = {
# LDAP AUTHENTICATION SETTINGS
###############################################################################
-# Refer to django-auth-ldap docs for more details:
-# http://pythonhosted.org/django-auth-ldap/authentication.html
+# AnsibleWorks AWX can be configured to centrally use LDAP as a source for
+# authentication information. When so configured, a user who logs in with
+# a LDAP username and password will automatically get an AWX account created
+# for them, and they can be automatically placed into multiple organizations
+# as either regular users or organization administrators. If users are created
+# via an LDAP login, by default they cannot change their username, firstname,
+# lastname, or set a local password for themselves. This is also tunable
+# to restrict editing of other field names.
+
+# For more information about these various settings, advanced users may refer
+# to django-auth-ldap docs, though this should not be neccessary for most
+# users: http://pythonhosted.org/django-auth-ldap/authentication.html
# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
-# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disable if this
+# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disabled if this
# parameter is empty.
+
AUTH_LDAP_SERVER_URI = ''
-# DN of user to bind for all search queries. Normally in the format
+# DN (Distinguished Name) of user to bind for all search queries. Normally in the format
# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as
-# "DOMAIN\username" for Active Directory.
+# "DOMAIN\username" for Active Directory. This is the system user account
+# we will use to login to query LDAP for other user information.
+
AUTH_LDAP_BIND_DN = ''
# Password using to bind above user account.
+
AUTH_LDAP_BIND_PASSWORD = ''
-# Enable TLS when the connection is not using SSL.
+# Whether to enable TLS when the LDAP connection is not using SSL.
+
AUTH_LDAP_START_TLS = False
# Imports needed for remaining LDAP configuration.
+# do not alter this section
+
import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
from django_auth_ldap.config import ActiveDirectoryGroupType
-# LDAP search query to find users.
+# LDAP search query to find users. Any user that matches the pattern
+# below will be able to login to AWX. The user should also be mapped
+# into an AWX organization (as defined later on in this file). If multiple
+# search queries need to be supported use of "LDAPUnion" is possible. See
+# python-ldap documentation as linked at the top of this section.
+
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'OU=Users,DC=example,DC=com', # Base DN
ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
'(sAMAccountName=%(user)s)', # Query
)
-# Alternative to user search, if user DNs are all of the same format.
+# Alternative to user search, if user DNs are all of the same format. This will be
+# more efficient for lookups than the above system if it is usable in your organizational
+# environment. If this setting has a value it will be used instead of AUTH_LDAP_USER_SEARCH
+# above.
+
#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com'
-# Mapping of LDAP to user atrributes (key is user attribute name, value is LDAP
-# attribute name).
+# Mapping of LDAP user schema to AWX API user atrributes (key is user attribute name, value is LDAP
+# attribute name). The default setting in this configuration file is valid for ActiveDirectory but
+# users with other LDAP configurations may need to change the values (not the keys) of the dictionary/hash-table
+# below.
+
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
}
-# LDAP search query to find groups. Does not support LDAPSearchUnion.
+# Users in AWX are mapped to organizations based on their membership in LDAP groups. The following setting defines
+# the LDAP search query to find groups. Note that this, unlike the user search above, does not support LDAPSearchUnion.
+
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
'DC=example,DC=com', # Base DN
ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
'(objectClass=group)', # Query
)
-# Type of group returned by the search above. Should be one of the types
-# listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups
+
+# The group type import may need to be changed based on the type of the LDAP server.
+# Values are listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups
+
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
# Group DN required to login. If specified, user must be a member of this
-# group to login via LDAP.
+# group to login via LDAP. If not set, everyone in LDAP that matches the
+# user search defined above will be able to login via AWX. Only one
+# require group is supported.
+
#AUTH_LDAP_REQUIRE_GROUP = ''
# Group DN denied from login. If specified, user will not be allowed to login
-# if a member of this group.
+# if a member of this group. Only one deny group is supported.
+
#AUTH_LDAP_DENY_GROUP = ''
# User profile flags updated from group membership (key is user attribute name,
-# value is group DN).
+# value is group DN). These are boolean fields that are matched based on
+# whether the user is a member of the given group. So far only is_superuser
+# is settable via this method. This flag is set both true and false at login
+# time based on current LDAP settings.
+
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
}
-# Mapping between organization admins/users and LDAP groups. Keys are
-# organization names (will be created if not present). Values are dictionaries
-# of options for each organization's membership, where each can contain the
-# following parameters:
-# - remove: True/False. Defaults to False. Specifies the default for
-# remove_admins or remove_users if those parameters aren't explicitly set.
+# Mapping between organization admins/users and LDAP groups. This controls what
+# users are placed into what AWX organizations relative to their LDAP group
+# memberships. Keys are organization names. Organizations will be created if not present.
+# Values are dictionaries defining the options for each organization's membership. For each organization
+# it is possible to specify what groups are automatically users of the organization and also what
+# groups can administer the organization.
+#
# - admins: None, True/False, string or list/tuple of strings.
-# If None, organization admins will not be updated.
-# If True/False, all LDAP users will be added/removed as admins.
-# If a string or list of strings, specifies the group DN(s). User will be
-# added as an org admin if the user is a member of ANY of these groups.
-# - remove_admins: True/False. Defaults to False. If True, a user who is not an
-# member of the given groups will be removed from the organization's admins.
+# If None, organization admins will not be updated based on LDAP values.
+# If True, all users in LDAP will automatically be added as admins of the organization.
+# If False, no LDAP users will be automatically added as admins of the organiation.
+# If a string or list of strings, specifies the group DN(s) that will be added of the organization if they match
+# any of the specified groups.
+# - remove_admins: True/False. Defaults to False.
+# If True, a user who is not an member of the given groups will be removed from the organization's administrative list.
# - users: None, True/False, string or list/tuple of strings. Same rules apply
# as for admins.
-# - remove_users: True/False. Defaults to False. If True, a user who is not a
-# member of the given groups will be removed from the organization's users.
+# - remove_users: True/False. Defaults to False. Same rules as apply for remove_admins
+
AUTH_LDAP_ORGANIZATION_MAP = {
#'Test Org': {
# 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
# 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'],
+ # 'remove_users' : False,
+ # 'remove_admins' : False,
#},
#'Test Org 2': {
# 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'],
# 'users': True,
+ # 'remove_users' : False,
+ # 'remove_admins' : False,
#},
}
diff --git a/config/rpm/settings.py b/config/rpm/settings.py
index 318de15b02..f51acaab92 100644
--- a/config/rpm/settings.py
+++ b/config/rpm/settings.py
@@ -71,96 +71,143 @@ LOGGING['handlers']['syslog'] = {
# LDAP AUTHENTICATION SETTINGS
###############################################################################
-# Refer to django-auth-ldap docs for more details:
-# http://pythonhosted.org/django-auth-ldap/authentication.html
+# AnsibleWorks AWX can be configured to centrally use LDAP as a source for
+# authentication information. When so configured, a user who logs in with
+# a LDAP username and password will automatically get an AWX account created
+# for them, and they can be automatically placed into multiple organizations
+# as either regular users or organization administrators. If users are created
+# via an LDAP login, by default they cannot change their username, firstname,
+# lastname, or set a local password for themselves. This is also tunable
+# to restrict editing of other field names.
+
+# For more information about these various settings, advanced users may refer
+# to django-auth-ldap docs, though this should not be neccessary for most
+# users: http://pythonhosted.org/django-auth-ldap/authentication.html
# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
-# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disable if this
+# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disabled if this
# parameter is empty.
+
AUTH_LDAP_SERVER_URI = ''
-# DN of user to bind for all search queries. Normally in the format
+# DN (Distinguished Name) of user to bind for all search queries. Normally in the format
# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as
-# "DOMAIN\username" for Active Directory.
+# "DOMAIN\username" for Active Directory. This is the system user account
+# we will use to login to query LDAP for other user information.
+
AUTH_LDAP_BIND_DN = ''
# Password using to bind above user account.
+
AUTH_LDAP_BIND_PASSWORD = ''
-# Enable TLS when the connection is not using SSL.
+# Whether to enable TLS when the LDAP connection is not using SSL.
+
AUTH_LDAP_START_TLS = False
# Imports needed for remaining LDAP configuration.
+# do not alter this section
+
import ldap
from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
from django_auth_ldap.config import ActiveDirectoryGroupType
-# LDAP search query to find users.
+# LDAP search query to find users. Any user that matches the pattern
+# below will be able to login to AWX. The user should also be mapped
+# into an AWX organization (as defined later on in this file). If multiple
+# search queries need to be supported use of "LDAPUnion" is possible. See
+# python-ldap documentation as linked at the top of this section.
+
AUTH_LDAP_USER_SEARCH = LDAPSearch(
'OU=Users,DC=example,DC=com', # Base DN
ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
'(sAMAccountName=%(user)s)', # Query
)
-# Alternative to user search, if user DNs are all of the same format.
+# Alternative to user search, if user DNs are all of the same format. This will be
+# more efficient for lookups than the above system if it is usable in your organizational
+# environment. If this setting has a value it will be used instead of AUTH_LDAP_USER_SEARCH
+# above.
+
#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com'
-# Mapping of LDAP to user atrributes (key is user attribute name, value is LDAP
-# attribute name).
+# Mapping of LDAP user schema to AWX API user atrributes (key is user attribute name, value is LDAP
+# attribute name). The default setting in this configuration file is valid for ActiveDirectory but
+# users with other LDAP configurations may need to change the values (not the keys) of the dictionary/hash-table
+# below.
+
AUTH_LDAP_USER_ATTR_MAP = {
'first_name': 'givenName',
'last_name': 'sn',
'email': 'mail',
}
-# LDAP search query to find groups. Does not support LDAPSearchUnion.
+# Users in AWX are mapped to organizations based on their membership in LDAP groups. The following setting defines
+# the LDAP search query to find groups. Note that this, unlike the user search above, does not support LDAPSearchUnion.
+
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
'DC=example,DC=com', # Base DN
ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE
'(objectClass=group)', # Query
)
-# Type of group returned by the search above. Should be one of the types
-# listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups
+
+# The group type import may need to be changed based on the type of the LDAP server.
+# Values are listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups
+
AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
# Group DN required to login. If specified, user must be a member of this
-# group to login via LDAP.
+# group to login via LDAP. If not set, everyone in LDAP that matches the
+# user search defined above will be able to login via AWX. Only one
+# require group is supported.
+
#AUTH_LDAP_REQUIRE_GROUP = ''
# Group DN denied from login. If specified, user will not be allowed to login
-# if a member of this group.
+# if a member of this group. Only one deny group is supported.
+
#AUTH_LDAP_DENY_GROUP = ''
# User profile flags updated from group membership (key is user attribute name,
-# value is group DN).
+# value is group DN). These are boolean fields that are matched based on
+# whether the user is a member of the given group. So far only is_superuser
+# is settable via this method. This flag is set both true and false at login
+# time based on current LDAP settings.
+
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
#'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
}
-# Mapping between organization admins/users and LDAP groups. Keys are
-# organization names (will be created if not present). Values are dictionaries
-# of options for each organization's membership, where each can contain the
-# following parameters:
-# - remove: True/False. Defaults to False. Specifies the default for
-# remove_admins or remove_users if those parameters aren't explicitly set.
+# Mapping between organization admins/users and LDAP groups. This controls what
+# users are placed into what AWX organizations relative to their LDAP group
+# memberships. Keys are organization names. Organizations will be created if not present.
+# Values are dictionaries defining the options for each organization's membership. For each organization
+# it is possible to specify what groups are automatically users of the organization and also what
+# groups can administer the organization.
+#
# - admins: None, True/False, string or list/tuple of strings.
-# If None, organization admins will not be updated.
-# If True/False, all LDAP users will be added/removed as admins.
-# If a string or list of strings, specifies the group DN(s). User will be
-# added as an org admin if the user is a member of ANY of these groups.
-# - remove_admins: True/False. Defaults to False. If True, a user who is not an
-# member of the given groups will be removed from the organization's admins.
+# If None, organization admins will not be updated based on LDAP values.
+# If True, all users in LDAP will automatically be added as admins of the organization.
+# If False, no LDAP users will be automatically added as admins of the organiation.
+# If a string or list of strings, specifies the group DN(s) that will be added of the organization if they match
+# any of the specified groups.
+# - remove_admins: True/False. Defaults to False.
+# If True, a user who is not an member of the given groups will be removed from the organization's administrative list.
# - users: None, True/False, string or list/tuple of strings. Same rules apply
# as for admins.
-# - remove_users: True/False. Defaults to False. If True, a user who is not a
-# member of the given groups will be removed from the organization's users.
+# - remove_users: True/False. Defaults to False. Same rules as apply for remove_admins
+
AUTH_LDAP_ORGANIZATION_MAP = {
#'Test Org': {
# 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com',
# 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'],
+ # 'remove_users' : False,
+ # 'remove_admins' : False,
#},
#'Test Org 2': {
# 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'],
# 'users': True,
+ # 'remove_users' : False,
+ # 'remove_admins' : False,
#},
}