Automatically give LDAP users permission to view objects

[bl4ko]

I've successfully configured LDAP to assign different permissions based on user roles:

• Normal users receive is_staff permission.
• Admin users receive both is_staff and is_superuser permissions.

Here's the relevant part of my LDAP configuration in Python:

AUTH_LDAP_REQUIRE_GROUP = (
    LDAPGroupQuery("CN=normal-users,DC=example,DC=com")
    | LDAPGroupQuery("CN=admin-users,DC=example,DC=com")
)

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": (
        LDAPGroupQuery("CN=normal-users,DC=example,DC=com")
        | LDAPGroupQuery("CN=admin-users,DC=example,DC=com")
    ),
    "is_staff": (
        LDAPGroupQuery("CN=admin-users,DC=example,DC=com")
        | LDAPGroupQuery("CN=normal-users,DC=example,DC=com")
    ),
    "is_superuser": "CN=admin-users,DC=example,DC=com",
}

The issue I'm facing is with the permission levels for different groups:

• Admin users (is_superuser) automatically have full admin permissions on the web interface.
• Regular staff users (is_staff) initially have no access and need to be manually added to a new Netbox group for any level of access.

My question: Is there a way to automatically assign all is_staff users to a Netbox group with read-only access to all objects in Netbox? Manually adding each non-admin member to a custom Netbox group is impractical for large LDAP organizations. Any insights or solutions for this would be greatly appreciated.

[candlerb]

"is_staff" grants access to the Netbox/Django admin interface at /admin/. Although the functions there are getting fewer and fewer, it should only be granted to trusted administrators (in v3.7 they can mess with python social auth settings and background tasks).

Most users should not have either "is_staff" or "is_superuser" (you correctly surmise that "is_superuser" grants all read and write permissions to all objects)

If you want to grant full read-only access to all authenticated users, then you can set

LOGIN_REQUIRED = True
EXEMPT_VIEW_PERMISSIONS = [ '*' ]

(or you can list a subset of models to grant universal read access to)

If you want to grant a more granular set of read permissions to all authenticated users, then make sure they're in an LDAP group, which maps to a Netbox group which has the permissions you want to give them.

# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True

[bl4ko]

Thanks for the quick reply, this works.