issues with install

[damo2929]

am getting issues starting netbox with this plugin

Aug 10 08:14:36 netbox gunicorn[1514]: django.core.exceptions.ImproperlyConfigured: Unable to import plugin netbox-plugin-azuread: Module not found. Check that the plugin module has been installed within the correct Python environment.

I updated the local_requirements.txt

msal
netbox_plugin_azuread

and ran ./upgrade.sh

pip has installed the module.

updated my configuration as documented

# Enable installed plugins. Add the name of each plugin to the list.
PLUGINS = [
'netbox-plugin-azuread'
]

PLUGINS_CONFIG = {
  'netbox-plugin-azuread': {
    'CLIENT_ID': "removed",
    'CLIENT_SECRET': "removed",
    'AUTHORITY': "https://login.microsoftonline.com/removed/",
    'SCOPES': ['https://graph.microsoft.com/.default'],
    'AD_GROUP_MAP': {
      'STAFF': ['removed'],
      'SUPERUSER': ['removed']
    }
  }
}

any ideas what I have done wrong ?

[marcus-crane]

Hi there,

First off all, I'd just like to say apologies for the state of this repo! While I make no guarantees with this project of course, I haven't sat down to churn out proper documentation just yet. Frankly, I'm quite surprised that someone even discovered this project.

I just checked some known valid configuration and unfortunately, the config I provided in the README was incorrect. The configuration in your last snippet should look like this:

PLUGINS = [
  'netbox_plugin_azuread'
]

PLUGINS_CONFIG = {
  'netbox_plugin_azuread': {
    ...
  }
}

As mentioned, once that's changed, you should be able to login via https://<your-netbox-ip>/plugins/azuread/login/. Personally, I use an nginx deployment to map /login/ to /plugins/azuread/login but that's a different issue.

I've update the (very sparse) README with the mentioned fix and hopefully tomorrow I can provide some more detail about the route mapping and so on.

Thanks for reaching out 🙂

[damo2929]

Hi Marcus, thanks for that, the service starts now however am getting the below message now when going to /plugins/azuread/login/

any ideas what I have missed ?

[marcus-crane]

Hey @damo2929,

Apologies again, it seems that since writing the original version of the README (some months ago), I had added a couple of variables that can be customised.

There are two extra bits to add to your config that I've just added to the README:

PLUGINS_CONFIG = {
  'netbox_plugin_azuread': {
    ...,
    'LOGIN_URL': '/plugins/azuread/login/',
    'REPLY_URL': '/plugins/azuread/complete/'
  }
}

Now by default, the values above will work but they're able to be customised as you may remap them using nginx (as I do).

LOGIN_URL is simply the login page, so that upon an error, it'll redirect the user back to the page in your screenshot. I should really be referencing it by view (and then I don't think it'd be needed in config) but I had some issue at the time and haven't gotten around to revisiting the issue.

The important one here is REPLY_URL which is where Azure AD redirects back to when logging you in (and then the Azure AD information is used to create a Django user under the hood).

This REPLY_URL needs to be added in Azure Active Directory in order to be authorised so here's an example of how my production instance looks:

There are all fake values of course. In reality, my reply URL is simply https://netbox.blah/complete/ and nginx remaps to /plugins/azuread/complete/.

Anyway, you need to make sure that your reply url is registered with the client ID for this to work. I'm sure you already know this, I just mention it as this project was my first time getting my head around the service principle dance 🙂

Hopefully that should be everything you need to get the plugin working but feel free to reach out again if you run into more troubles.

[damo2929]

ok got that working and I can see in nginx the token comes back

but I get this

[marcus-crane]

Ah, interesting? It appears that your user profile (Microsoft account/Active Directory user) doesn't have a first name?

In the case where this plugin was deployed, we always have a first name defined so adding a placeholder here should fix it.

Before I roll out a bug fix, are you able to confirm which fields you have populated for your Active Directory user?

You should be able to do that by navigating to the Azure Portal -> Azure Active Directory and then clicking on your name under "My feed"

Once there, you should see a bunch of fields. In your case, I would probably expect Name, First Name and Last Name at least to be empty but User Principal Name to be present

Thanks and sorry for the hassle :)

[marcus-crane]

I've just published v1.0.1 for you which should fix your issue.

As before, you can install it with pip install netbox_plugin_azuread but it's always a good idea to pin your dependency ie; pip install netbox_plugin_azuread==1.0.1

Let me know how you get on

[damo2929]

ok thats odd because we do have these fields in the directory as a requirement. does this use the values from the token on the LDAP field names.

as the ID token has family_name and given_name and email in the claim.

I will pull the update see what happens, many thanks Damien

[marcus-crane]

Admittedly, this project is my first real dive into Azure AD and to some extent, AD in general but it seems the parameters we use (that are baked into the library) are the default attributes provided by Azure AD B2C except for mail.

I'll have to play around with my developer account to get a better idea of how this stuff works but given the above, I guess it's the case there are some custom attributes set in Azure AD B2C which result in the claim attributes having different variable names? If you have any further insight, please let me know!

A pretty simple fix here would just to be to default to the Azure AD B2C names, provide the ability to "remap" them ie; First Name -> givenName and if that fails, just default to an empty string?

[marcus-crane]

Hey @damo2929, just wanted to check if you still had any troubles or if you managed to get the plugin working. Apologies for not having invested in the documentation still!

[marcus-crane]

Hey @damo2929, just a heads up that I've updated the documentation for this repo so there should be a fully working configuration available as an example. It seems I overlooked a few extra settings such as REMOTE_AUTH_BACKEND. Let me know if you have any issues or feedback so far.

[damo2929]

Hi MarcusThat's for the update I will have a look at it when am next in the office and let you know.RegardsOn 27 Aug 2021 06:20, Marcus Crane @.***> wrote: Hey @damo2929, just a heads up that I've updated the documentation for this repo so there should be a fully working configuration available as an example. It seems I overlooked a few extra settings such as REMOTE_AUTH_BACKEND. Let me know if you have any issues or feedback so far.

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.Triage notifications on the go with GitHub Mobile for iOS or Android.

[marcus-crane]

Hey @damo2929 ,

I hope you've been able to resolve your issue but if not, I just shipped some debug logging in v1.1.1 to try and help narrow down what might be going wrong. You can enable it by setting LOGLEVEL=DEBUG in your Netbox environment.