LDAP Authentication (#19)

* initial LDAP authentication support

README.md

@@ -50,6 +50,10 @@ attempt to create the defined users only once during initial installation. If
 creation process [documented](https://nautobot.readthedocs.io/en/latest/installation/nautobot/#create-a-superuser)
 by Nautobot can be used instead.
 
+### External Authentication
+See the [wiki](https://github.com/jvoss/ansible-role-nautobot/wiki) for
+information about available external authentication methods.
+
 ## Plugins 
 
 Nautobot plugins that are pip modules can be installed and configured by setting

defaults/main.yml

@@ -136,6 +136,16 @@ nautobot_enforce_global_unique: False
 # `<app>.<model>`. Add '*' to this list to exempt all models.
 nautobot_exempt_view_permissions: []
 
+# The list of group names to assign a new user account when created using 3rd-party
+# authentication.
+nautobot_external_auth_default_groups: []
+
+# A mapping of permissions to assign a new user account when created using SSO
+# authentication. Each key in the dictionary will be the permmission name specified
+# as `<app_label>.<action>_<model>`, and the value should be set to the permission
+# contraints, or `None` to allow all objects.
+nautobot_external_auth_default_permissions: {}
+
 # If hosting Nautobot in a subdirectory, you must set this value to match the base URL
 # prefix configured in your HTTP server (e.g. `/nautobot/`). When not set, URLs will
 # default to being prefixed by `/`.

tasks/install.debian.yml

@@ -14,3 +14,13 @@
     - python3-pip
     - python3-venv
     - python3-dev
+
+- name: install.debian | install system packages for LDAP authentication
+  ansible.builtin.apt:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - libldap2-dev
+    - libsasl2-dev
+    - libssl-dev
+  when: nautobot_auth_ldap is defined

tasks/install.redhat.yml

@@ -9,3 +9,12 @@
     - python3-devel
     - python3-pip
     - python3-dnf
+
+- name: install.redhat | install system packages for LDAP authentication
+  ansible.builtin.yum:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - gcc
+    - openldap-devel
+  when: nautobot_auth_ldap is defined

tasks/install.yml

@@ -75,6 +75,16 @@
   notify: restart_nautobot
   when: nautobot_plugins | length > 0
 
+- name: install | add django-auth-ldap to local_requirements.txt
+  ansible.builtin.lineinfile:
+    path: "{{ nautobot_root }}/local_requirements.txt"
+    line: "django-auth-ldap"
+    regexp: "^django-auth-ldap"
+    owner: "{{ nautobot_system_user }}"
+    mode: '0644'
+  notify: restart_nautobot
+  when: nautobot_auth_ldap is defined
+
 - name: install | install python packages specified in local_requirements.txt
   ansible.builtin.pip:
     requirements: "{{ nautobot_root }}/local_requirements.txt"

templates/nautobot_config.py.j2

@@ -1,8 +1,14 @@
 # {{ ansible_managed }}
 
+import json
 import os
 import sys
 
+{% if nautobot_auth_ldap is defined %}
+import ldap
+from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
+{% endif %}
+
 from nautobot.core.settings import *  # noqa F401,F403
 from nautobot.core.settings_funcs import is_truthy
 
@@ -90,6 +96,15 @@ ALLOWED_URL_SCHEMES = (
     '{{ nautobot_allowed_url_schemes | join("', '") }}',
 )
 
+{% if nautobot_auth_ldap is defined %}
+AUTHENTICATION_BACKENDS = [
+    'django_auth_ldap.backend.LDAPBackend',
+    'nautobot.core.authentication.ObjectPermissionBackend',
+]
+
+{{ nautobot_auth_ldap.config | default() }}
+{% endif %}
+
 BANNER_TOP = '{{ nautobot_banner.top }}'
 BANNER_BOTTOM = '{{ nautobot_banner.bottom }}'
 BANNER_LOGIN = '{{ nautobot_banner_login }}'
@@ -126,8 +141,8 @@ EXEMPT_VIEW_PERMISSIONS = []
 {% endif %}
 
 # Global 3rd-party authentication settings
-EXTERNAL_AUTH_DEFAULT_GROUPS = []
-EXTERNAL_AUTH_DEFAULT_PERMISSIONS = {}
+EXTERNAL_AUTH_DEFAULT_GROUPS = {{ nautobot_external_auth_default_groups|to_json }}
+EXTERNAL_AUTH_DEFAULT_PERMISSIONS = json.loads(r'''{{ nautobot_external_auth_default_permissions|to_json }}''')
 
 {% if nautobot_force_script_name == 'None' %}
 FORCE_SCRIPT_NAME = None