diff options
| author | Chris Church <chris@ninemoreminutes.com> | 2013-09-09 23:20:43 +0200 |
|---|---|---|
| committer | Chris Church <chris@ninemoreminutes.com> | 2013-09-09 23:20:48 +0200 |
| commit | cad3612a8ff2a41f1ebeaac4f9123a36b2fdb002 (patch) | |
| tree | f3b34f24fc2fa5722098408174d93805bb2d7e0f /config | |
| parent | Fixed js error that stopped login dialog from rendering in FF. (diff) | |
| download | awx-cad3612a8ff2a41f1ebeaac4f9123a36b2fdb002.tar.xz awx-cad3612a8ff2a41f1ebeaac4f9123a36b2fdb002.zip | |
AC-156. Implement LDAP organization mapping, update settings files and comments on LDAP configuration.
Diffstat (limited to 'config')
| -rw-r--r-- | config/deb/settings.py | 138 | ||||
| -rw-r--r-- | config/rpm/settings.py | 138 |
2 files changed, 220 insertions, 56 deletions
diff --git a/config/deb/settings.py b/config/deb/settings.py index 015d074de3..106923af11 100644 --- a/config/deb/settings.py +++ b/config/deb/settings.py @@ -1,3 +1,7 @@ +############################################################################### +# MISC PROJECT SETTINGS +############################################################################### + ADMINS = ( #('Joe Admin', 'joeadmin@example.com'), ) @@ -32,19 +36,13 @@ SECRET_KEY = file('/etc/awx/SECRET_KEY', 'rb').read().strip() ALLOWED_HOSTS = ['*'] -LOGGING['handlers']['syslog'] = { - # ERROR captures 500 errors, WARNING also logs 4xx responses. - 'level': 'ERROR', - 'filters': ['require_debug_false'], - 'class': 'logging.handlers.SysLogHandler', - 'address': '/dev/log', - 'facility': 'local0', - 'formatter': 'simple', -} - AWX_TASK_ENV['HOME'] = '/var/lib/awx' AWX_TASK_ENV['USER'] = 'awx' +############################################################################### +# EMAIL SETTINGS +############################################################################### + SERVER_EMAIL = 'root@localhost' DEFAULT_FROM_EMAIL = 'webmaster@localhost' EMAIL_SUBJECT_PREFIX = '[AnsibleWorks] ' @@ -55,30 +53,114 @@ EMAIL_HOST_USER = '' EMAIL_HOST_PASSWORD = '' EMAIL_USE_TLS = False -# LDAP connection and authentication settings. Refer to django-auth-ldap docs: +############################################################################### +# LOGGING SETTINGS +############################################################################### + +LOGGING['handlers']['syslog'] = { + # ERROR captures 500 errors, WARNING also logs 4xx responses. + 'level': 'ERROR', + 'filters': ['require_debug_false'], + 'class': 'logging.handlers.SysLogHandler', + 'address': '/dev/log', + 'facility': 'local0', + 'formatter': 'simple', +} + +############################################################################### +# LDAP AUTHENTICATION SETTINGS +############################################################################### + +# Refer to django-auth-ldap docs for more details: # http://pythonhosted.org/django-auth-ldap/authentication.html +# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or +# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disable if this +# parameter is empty. AUTH_LDAP_SERVER_URI = '' + +# DN of user to bind for all search queries. Normally in the format +# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as +# "DOMAIN\username" for Active Directory. AUTH_LDAP_BIND_DN = '' + +# Password using to bind above user account. AUTH_LDAP_BIND_PASSWORD = '' + +# Enable TLS when the connection is not using SSL. AUTH_LDAP_START_TLS = False -#import ldap -#from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +# Imports needed for remaining LDAP configuration. +import ldap +from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +from django_auth_ldap.config import ActiveDirectoryGroupType # LDAP search query to find users. -#AUTH_LDAP_USER_SEARCH = LDAPSearch( -# 'OU=Users,DC=example,DC=com', -# ldap.SCOPE_SUBTREE, -# '(sAMAccountName=%(user)s)', -#) - -# Alternative to user search. -#AUTH_LDAP_USER_DN_TEMPLATE = 'sAMAccountName=%(user)s,OU=Users,DC=example,DC=com' - -# Mapping of LDAP attributes to user attributes. -#AUTH_LDAP_USER_ATTR_MAP = { -# 'first_name': 'givenName', -# 'last_name': 'sn', -# 'email': 'mail', -#} +AUTH_LDAP_USER_SEARCH = LDAPSearch( + 'OU=Users,DC=example,DC=com', # Base DN + ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE + '(sAMAccountName=%(user)s)', # Query +) + +# Alternative to user search, if user DNs are all of the same format. +#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com' + +# Mapping of LDAP to user atrributes (key is user attribute name, value is LDAP +# attribute name). +AUTH_LDAP_USER_ATTR_MAP = { + 'first_name': 'givenName', + 'last_name': 'sn', + 'email': 'mail', +} + +# LDAP search query to find groups. Does not support LDAPSearchUnion. +AUTH_LDAP_GROUP_SEARCH = LDAPSearch( + 'DC=example,DC=com', # Base DN + ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE + '(objectClass=group)', # Query +) +# Type of group returned by the search above. Should be one of the types +# listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups +AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType() + +# Group DN required to login. If specified, user must be a member of this +# group to login via LDAP. +AUTH_LDAP_REQUIRE_GROUP = '' + +# Group DN denied from login. If specified, user will not be allowed to login +# if a member of this group. +AUTH_LDAP_DENY_GROUP = '' + +# User profile flags updated from group membership (key is user attribute name, +# value is group DN). +AUTH_LDAP_USER_FLAGS_BY_GROUP = { + #'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com', +} + +# Mapping between organization admins/users and LDAP groups. Keys are +# organization names (will be created if not present). Values are dictionaries +# of options for each organization's membership, where each can contain the +# following parameters: +# - remove: True/False. Defaults to False. Specifies the default for +# remove_admins or remove_users if those parameters aren't explicitly set. +# - admins: None, True/False, string or list/tuple of strings. +# If None, organization admins will not be updated. +# If True/False, all LDAP users will be added/removed as admins. +# If a string or list of strings, specifies the group DN(s). User will be +# added as an org admin if the user is a member of ANY of these groups. +# - remove_admins: True/False. Defaults to False. If True, a user who is not an +# member of the given groups will be removed from the organization's admins. +# - users: None, True/False, string or list/tuple of strings. Same rules apply +# as for admins. +# - remove_users: True/False. Defaults to False. If True, a user who is not a +# member of the given groups will be removed from the organization's users. +AUTH_LDAP_ORGANIZATION_MAP = { + #'Test Org': { + # 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com', + # 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'], + #}, + #'Test Org 2': { + # 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'], + # 'users': True, + #}, +} diff --git a/config/rpm/settings.py b/config/rpm/settings.py index 015d074de3..106923af11 100644 --- a/config/rpm/settings.py +++ b/config/rpm/settings.py @@ -1,3 +1,7 @@ +############################################################################### +# MISC PROJECT SETTINGS +############################################################################### + ADMINS = ( #('Joe Admin', 'joeadmin@example.com'), ) @@ -32,19 +36,13 @@ SECRET_KEY = file('/etc/awx/SECRET_KEY', 'rb').read().strip() ALLOWED_HOSTS = ['*'] -LOGGING['handlers']['syslog'] = { - # ERROR captures 500 errors, WARNING also logs 4xx responses. - 'level': 'ERROR', - 'filters': ['require_debug_false'], - 'class': 'logging.handlers.SysLogHandler', - 'address': '/dev/log', - 'facility': 'local0', - 'formatter': 'simple', -} - AWX_TASK_ENV['HOME'] = '/var/lib/awx' AWX_TASK_ENV['USER'] = 'awx' +############################################################################### +# EMAIL SETTINGS +############################################################################### + SERVER_EMAIL = 'root@localhost' DEFAULT_FROM_EMAIL = 'webmaster@localhost' EMAIL_SUBJECT_PREFIX = '[AnsibleWorks] ' @@ -55,30 +53,114 @@ EMAIL_HOST_USER = '' EMAIL_HOST_PASSWORD = '' EMAIL_USE_TLS = False -# LDAP connection and authentication settings. Refer to django-auth-ldap docs: +############################################################################### +# LOGGING SETTINGS +############################################################################### + +LOGGING['handlers']['syslog'] = { + # ERROR captures 500 errors, WARNING also logs 4xx responses. + 'level': 'ERROR', + 'filters': ['require_debug_false'], + 'class': 'logging.handlers.SysLogHandler', + 'address': '/dev/log', + 'facility': 'local0', + 'formatter': 'simple', +} + +############################################################################### +# LDAP AUTHENTICATION SETTINGS +############################################################################### + +# Refer to django-auth-ldap docs for more details: # http://pythonhosted.org/django-auth-ldap/authentication.html +# LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or +# "ldaps://ldap.example.com:636" (SSL). LDAP authentication is disable if this +# parameter is empty. AUTH_LDAP_SERVER_URI = '' + +# DN of user to bind for all search queries. Normally in the format +# "CN=Some User,OU=Users,DC=example,DC=com" but may also be specified as +# "DOMAIN\username" for Active Directory. AUTH_LDAP_BIND_DN = '' + +# Password using to bind above user account. AUTH_LDAP_BIND_PASSWORD = '' + +# Enable TLS when the connection is not using SSL. AUTH_LDAP_START_TLS = False -#import ldap -#from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +# Imports needed for remaining LDAP configuration. +import ldap +from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +from django_auth_ldap.config import ActiveDirectoryGroupType # LDAP search query to find users. -#AUTH_LDAP_USER_SEARCH = LDAPSearch( -# 'OU=Users,DC=example,DC=com', -# ldap.SCOPE_SUBTREE, -# '(sAMAccountName=%(user)s)', -#) - -# Alternative to user search. -#AUTH_LDAP_USER_DN_TEMPLATE = 'sAMAccountName=%(user)s,OU=Users,DC=example,DC=com' - -# Mapping of LDAP attributes to user attributes. -#AUTH_LDAP_USER_ATTR_MAP = { -# 'first_name': 'givenName', -# 'last_name': 'sn', -# 'email': 'mail', -#} +AUTH_LDAP_USER_SEARCH = LDAPSearch( + 'OU=Users,DC=example,DC=com', # Base DN + ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE + '(sAMAccountName=%(user)s)', # Query +) + +# Alternative to user search, if user DNs are all of the same format. +#AUTH_LDAP_USER_DN_TEMPLATE = 'uid=%(user)s,OU=Users,DC=example,DC=com' + +# Mapping of LDAP to user atrributes (key is user attribute name, value is LDAP +# attribute name). +AUTH_LDAP_USER_ATTR_MAP = { + 'first_name': 'givenName', + 'last_name': 'sn', + 'email': 'mail', +} + +# LDAP search query to find groups. Does not support LDAPSearchUnion. +AUTH_LDAP_GROUP_SEARCH = LDAPSearch( + 'DC=example,DC=com', # Base DN + ldap.SCOPE_SUBTREE, # SCOPE_BASE, SCOPE_ONELEVEL, SCOPE_SUBTREE + '(objectClass=group)', # Query +) +# Type of group returned by the search above. Should be one of the types +# listed at: http://pythonhosted.org/django-auth-ldap/groups.html#types-of-groups +AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType() + +# Group DN required to login. If specified, user must be a member of this +# group to login via LDAP. +AUTH_LDAP_REQUIRE_GROUP = '' + +# Group DN denied from login. If specified, user will not be allowed to login +# if a member of this group. +AUTH_LDAP_DENY_GROUP = '' + +# User profile flags updated from group membership (key is user attribute name, +# value is group DN). +AUTH_LDAP_USER_FLAGS_BY_GROUP = { + #'is_superuser': 'CN=Domain Admins,CN=Users,DC=example,DC=com', +} + +# Mapping between organization admins/users and LDAP groups. Keys are +# organization names (will be created if not present). Values are dictionaries +# of options for each organization's membership, where each can contain the +# following parameters: +# - remove: True/False. Defaults to False. Specifies the default for +# remove_admins or remove_users if those parameters aren't explicitly set. +# - admins: None, True/False, string or list/tuple of strings. +# If None, organization admins will not be updated. +# If True/False, all LDAP users will be added/removed as admins. +# If a string or list of strings, specifies the group DN(s). User will be +# added as an org admin if the user is a member of ANY of these groups. +# - remove_admins: True/False. Defaults to False. If True, a user who is not an +# member of the given groups will be removed from the organization's admins. +# - users: None, True/False, string or list/tuple of strings. Same rules apply +# as for admins. +# - remove_users: True/False. Defaults to False. If True, a user who is not a +# member of the given groups will be removed from the organization's users. +AUTH_LDAP_ORGANIZATION_MAP = { + #'Test Org': { + # 'admins': 'CN=Domain Admins,CN=Users,DC=example,DC=com', + # 'users': ['CN=Domain Users,CN=Users,DC=example,DC=com'], + #}, + #'Test Org 2': { + # 'admins': ['CN=Administrators,CN=Builtin,DC=example,DC=com'], + # 'users': True, + #}, +} |