search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/free-netbox-cloud/
http://netboxlabs.com/oss/netbox/
Apache License 2.0
16.16k stars 2.59k forks source link

Support for multiple remote auth backends #11977

Closed decoupca closed 1 year ago

decoupca commented 1 year ago

NetBox version

v3.4.6

Feature type

New functionality

Proposed functionality

Currently, REMOTE_AUTH_BACKEND only supports a single auth backend. Modify REMOTE_AUTH_BACKEND to accept an iterable, which may reference one or more Django authentication backends. Backends would then be attempted in sequence when authenticating a user.

Use case

Valid NetBox users may not all exist in the same authentication directory or service, e.g. multiple AD forests. Note: For multiple AD domains within a single forest, point AUTH_LDAP_SERVER_URI to the AD Global Catalog port 3269 as described in the docs.

As Django supports multiple auth backends, extending this functionality to NetBox seems feasible.

This has come up several times in discussion:

Database changes

None

External dependencies

None

decoupca commented 1 year ago

The use case that motivated this FR (authenticating users from multiple domains in a single forest) was resolved by pointing AUTH_LDAP_SERVER_URI to the Global Catalog port 3269 as described in the docs. However, this FR would still be useful in the case of separate AD forests, or any other case requiring multiple authentication backends.

decoupca commented 1 year ago

Can I take a swing at this one?

decoupca commented 1 year ago

Would it be appropriate or helpful to include an example for how to leverage this? I have working PoC code for how to use this for multiple AD forests, but I'm not sure it belongs in the docs

thefreakquency commented 1 year ago

This could help also to add redundancy, even for a single domain. Pointing the requests to multiple servers of a same domain instead of a single one. If it was to be unavailable, other servers would still authenticate the users.

for multiple domains, can it support providing the domain name (DOMAIN\User)? Currently, I was not able to do it, and should it support multiple AD Forest, many of my users would have the same username defined in different domains.

decoupca commented 1 year ago

for multiple domains, can it support providing the domain name (DOMAIN\User)? Currently, I was not able to do it, and should it support multiple AD Forest, many of my users would have the same username defined in different domains.

I wondered the same thing. Don't know for sure, may require a custom backend, which is the only way I see to be able to parse a username and take conditional actions based on it.

thefreakquency commented 1 year ago

If it's too complicated to parse, a drop-down menu on the login page that list the available domains might be easier to implement. Selecting a domain would then refer to a domain specific config that has one or more LDAP server.