diff --git a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js index db6b1dc..72d1542 100644 --- a/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js +++ b/powerdnsadmin/static/custom/js/app-authentication-settings-editor.js @@ -1,5 +1,6 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, selector) { let self = this; + let target = null; self.api_url = api_url; self.csrf_token = csrf_token; self.selector = selector; @@ -102,7 +103,7 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele oidc_oauth_account_name_property: '', oidc_oauth_account_description_property: '', } - + self.init = function (autoload) { self.loading = ko.observable(self.loading); self.saving = ko.observable(self.saving); @@ -116,6 +117,7 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele } if (el !== null && el.length > 0) { + target = el; ko.applyBindings(self, el[0]); } else { ko.applyBindings(self); @@ -128,6 +130,7 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele } self.setupListeners(); + self.setupValidation(); if (autoload) { self.load(); @@ -146,6 +149,9 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele } self.save = function () { + if (!target.valid()) { + return false; + } self.saving(true); $.ajax({ url: self.api_url, @@ -166,6 +172,252 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele } } + self.setupListeners = function () { + if ('onhashchange' in window) { + $(window).bind('hashchange', self.onHashChange); + } + } + + self.destroyListeners = function () { + if ('onhashchange' in window) { + $(window).unbind('hashchange', self.onHashChange); + } + } + + self.setupValidation = function () { + let auth_enabled = function (value, element, params) { + let enabled = 0; + if (self.local_db_enabled()) { + enabled++; + } + if (self.ldap_enabled()) { + enabled++; + } + if (self.google_oauth_enabled()) { + enabled++; + } + if (self.github_oauth_enabled()) { + enabled++; + } + if (self.azure_oauth_enabled()) { + enabled++; + } + if (self.oidc_oauth_enabled()) { + enabled++; + } + return enabled > 0; + }; + + let ldap_exclusive = function (value, element, params) { + let enabled = 0; + if (self.ldap_sg_enabled() === 1) { + enabled++; + } + if (self.autoprovisioning() === 1) { + enabled++; + } + return enabled < 2; + } + + let local_enabled = function (element) { + return self.local_db_enabled(); + }; + + let ldap_enabled = function (element) { + return self.ldap_enabled(); + }; + + let google_oauth_enabled = function (element) { + return self.google_oauth_enabled(); + }; + + let github_oauth_enabled = function (element) { + return self.github_oauth_enabled(); + }; + + let azure_oauth_enabled = function (element) { + return self.azure_oauth_enabled(); + }; + + let oidc_oauth_enabled = function (element) { + return self.oidc_oauth_enabled(); + }; + + let enforce_characters = function (element) { + return self.local_db_enabled() === 1 && self.pwd_enforce_characters() === 1; + }; + + let enforce_complexity = function (element) { + return self.local_db_enabled() === 1 && self.pwd_enforce_complexity() === 1; + }; + + let ldap_type_openldap = function (element) { + return self.ldap_enabled() && self.ldap_type() === 'ldap'; + }; + + let ldap_type_ad = function (element) { + return self.ldap_enabled() && self.ldap_type() === 'ad'; + }; + + let ldap_sg_enabled = function (element) { + return self.ldap_enabled() === 1 && self.ldap_sg_enabled() === 1; + } + + let ldap_ap_enabled = function (element) { + return self.ldap_enabled() === 1 && self.autoprovisioning() === 1; + } + + jQuery.validator.addMethod('auth_enabled', auth_enabled, 'At least one authentication method must be enabled.'); + jQuery.validator.addMethod('ldap_exclusive', ldap_exclusive, 'The LDAP group security and role auto-provisioning features are mutually exclusive.'); + + let footerErrorElements = [ + 'input#local_db_enabled', + ]; + + $(selector).validate({ + errorPlacement: function (error, element) { + let useFooter = false; + for (let i = 0; i < footerErrorElements.length; i++) { + if (element.is(footerErrorElements[i])) { + useFooter = true; + } + } + if (useFooter) { + target.find('.card-footer > .error').append(error); + } else if (element.is('input[type=radio]')) { + error.insertAfter(element.parents('div.radio')); + } else { + element.after(error); + } + }, + rules: { + local_db_enabled: 'auth_enabled', + ldap_enabled: 'auth_enabled', + google_oauth_enabled: 'auth_enabled', + github_oauth_enabled: 'auth_enabled', + azure_oauth_enabled: 'auth_enabled', + oidc_oauth_enabled: 'auth_enabled', + pwd_min_len: { + required: enforce_characters, + digits: true, + min: 1, + max: 64, + }, + pwd_min_lowercase: { + required: enforce_characters, + digits: true, + min: 0, + max: 64, + }, + pwd_min_uppercase: { + required: enforce_characters, + digits: true, + min: 0, + max: 64, + }, + pwd_min_digits: { + required: enforce_characters, + digits: true, + min: 0, + max: 64, + }, + pwd_min_special: { + required: enforce_characters, + digits: true, + min: 0, + max: 64, + }, + pwd_min_complexity: { + required: enforce_complexity, + digits: true, + min: 1, + max: 1000, + }, + ldap_type: ldap_enabled, + ldap_uri: { + required: ldap_enabled, + minlength: 11, + maxlength: 255, + }, + ldap_base_dn: { + required: ldap_enabled, + minlength: 4, + maxlength: 255, + }, + ldap_admin_username: { + required: ldap_type_openldap, + minlength: 4, + maxlength: 255, + }, + ldap_admin_password: { + required: ldap_type_openldap, + minlength: 1, + maxlength: 255, + }, + ldap_domain: { + required: ldap_type_ad, + minlength: 1, + maxlength: 255, + }, + ldap_filter_basic: { + required: ldap_enabled, + minlength: 3, + maxlength: 1000, + }, + ldap_filter_username: { + required: ldap_enabled, + minlength: 1, + maxlength: 100, + }, + ldap_filter_group: { + required: ldap_type_openldap, + minlength: 3, + maxlength: 100, + }, + ldap_filter_groupname: { + required: ldap_type_openldap, + minlength: 1, + maxlength: 100, + }, + ldap_sg_enabled: { + required: ldap_enabled, + ldap_exclusive: true, + }, + ldap_admin_group: { + required: ldap_sg_enabled, + minlength: 3, + maxlength: 100, + }, + ldap_operator_group: { + required: ldap_sg_enabled, + minlength: 3, + maxlength: 100, + }, + ldap_user_group: { + required: ldap_sg_enabled, + minlength: 3, + maxlength: 100, + }, + autoprovisioning: { + required: ldap_enabled, + ldap_exclusive: true, + }, + autoprovisioning_attribute: { + required: ldap_ap_enabled, + minlength: 1, + maxlength: 100, + }, + urn_value: { + required: ldap_ap_enabled, + minlength: 1, + maxlength: 100, + }, + purge: ldap_enabled, + }, + messages: {}, + }); + } + self.activateTab = function (tab) { $('[role="tablist"] a.nav-link').blur(); self.tab_active(tab); @@ -184,42 +436,60 @@ let AuthenticationSettingsModel = function (user_data, api_url, csrf_token, sele return window.location.hash.length > 1; } - self.setupListeners = function () { - if ('onhashchange' in window) { - $(window).bind('hashchange', self.onHashChange); - } - } - - self.destroyListeners = function () { - if ('onhashchange' in window) { - $(window).unbind('hashchange', self.onHashChange); - } - } - self.onDataLoaded = function (result) { if (result.status == 0) { - console.log('Error loading settings: ' + result.messages.join(', ')); + console.log('Error loading settings.'); + + if (result.messages.length) { + for (let i = 0; i < result.messages.length; i++) { + let message = result.messages[i]; + console.log(message); + } + } + self.loading(false); return false; } self.update(result.data); - console.log('Settings loaded: ' + result.messages.join(', ')); + console.log('Settings loaded.'); + + if (result.messages.length) { + for (let i = 0; i < result.messages.length; i++) { + let message = result.messages[i]; + console.log(message); + } + } self.loading(false); } self.onDataSaved = function (result) { if (result.status == 0) { - console.log('Error saving settings: ' + result.messages.join(', ')); + console.log('Error saving settings.'); + + if (result.messages.length) { + for (let i = 0; i < result.messages.length; i++) { + let message = result.messages[i]; + console.log(message); + } + } + self.saving(false); return false; } self.update(result.data); - console.log('Settings saved: ' + result.messages.join(', ')); + console.log('Settings saved.'); + + if (result.messages.length) { + for (let i = 0; i < result.messages.length; i++) { + let message = result.messages[i]; + console.log(message); + } + } self.saving(false); } diff --git a/powerdnsadmin/templates/admin_setting_authentication.html b/powerdnsadmin/templates/admin_setting_authentication.html index bdd026f..2729ed7 100644 --- a/powerdnsadmin/templates/admin_setting_authentication.html +++ b/powerdnsadmin/templates/admin_setting_authentication.html @@ -26,72 +26,72 @@
-
-
-

Settings Editor

-
- -
-
-
- -
-
+
+
+
+

Settings Editor

- {% if result %} -
- - {{ result['msg'] }} + +
+
+
+ +
+
- {% endif %} -
- -
+ {% if result %} +
+ + {{ result['msg'] }} +
+ {% endif %} -
-
-
- - - +
+ +
+ +
+
+

Local Authentication Settings

@@ -130,7 +130,6 @@ Length
@@ -139,7 +138,6 @@
@@ -148,7 +146,6 @@
@@ -156,7 +153,6 @@ Characters
@@ -164,7 +160,6 @@ Characters
@@ -182,7 +177,6 @@
@@ -190,109 +184,114 @@
- -
- - -
-
-
-

Settings Help

-
- -
-
-
Local DB Authentication
-
Enable/disable local database authentication.
-
Allow Users to Signup
-
Allow users to signup. This requires local database - authentication - to be enabled. -
-

Password Requirements

-
This section allows you to customize your local DB - password - requirements - and ensure that when users change their password or - signup - they are - picking strong passwords. -
-
Setting any entry field to a blank value will revert it - back - to default. -
-
Enforce Character Requirements
-
This option will enforce the character type requirements - for - passwords. -
    -
  • Minimum Lowercase Characters - Minimum number of - lowercase - characters required to appear in the password. -
    • -
  • Minimum Uppercase Characters - Minimum number of - uppercase - characters required to appear in the password. -
    • -
  • Minimum Digit Characters - Minimum number of - digits - required to appear in the password. Digits - include - 1234567890. -
    • -
  • Minimum Special Characters - Minimum number of - special - characters required to appear in the password. - Special - characters include - `!@#$%^&*()_-=+[]\{}|;:",.></?. -
    • -
-
-
Enforce Complexity Requirement
-
Enable the enforcement of complex passwords. We - currently use - zxcvbn - for - determining this. -
    -
  • Minimum Complexity - The default value of the - log factor - is 11 as it is considered secure. More - information about - this can be found at - here -
    • -
-
-
-
-
- -
- -
- -
- + -
-
-
- {% if error %} -
- -

Error!

- {{ error }} +
+
+
+

Settings Help

+
+ +
+
+
Local DB Authentication
+
Enable/disable local database authentication.
+
Allow Users to Signup
+
Allow users to signup. This requires local database + authentication + to be enabled. +
+

Password Requirements

+
This section allows you to customize your local DB + password + requirements + and ensure that when users change their password or + signup + they are + picking strong passwords. +
+
Setting any entry field to a blank value will revert + it + back + to default. +
+
Enforce Character Requirements
+
This option will enforce the character type + requirements + for + passwords. +
    +
  • Minimum Lowercase Characters - Minimum + number of + lowercase + characters required to appear in the + password. +
    • +
  • Minimum Uppercase Characters - Minimum + number of + uppercase + characters required to appear in the + password. +
    • +
  • Minimum Digit Characters - Minimum number of + digits + required to appear in the password. Digits + include + 1234567890. +
    • +
  • Minimum Special Characters - Minimum number + of + special + characters required to appear in the + password. + Special + characters include + `!@#$%^&*()_-=+[]\{}|;:",.></?. +
    • +
+
+
Enforce Complexity Requirement
+
Enable the enforcement of complex passwords. We + currently use + zxcvbn + for + determining this. +
    +
  • Minimum Complexity - The default value of + the + log factor + is 11 as it is considered secure. More + information about + this can be found at + here +
    • +
+
+
+
+
- {% endif %} -
- - + +
+ +
+ +
+ + +
+
+
+ {% if error %} +
+ +

Error!

+ {{ error }} +
+ {% endif %}

LDAP Authentication Settings

@@ -337,7 +336,6 @@ name="ldap_uri" id="ldap_uri" placeholder="e.g. ldaps://your-ldap-server:636" - data-error="Please input LDAP URI" data-bind="enable: ldap_enabled, value: ldap_uri, valueUpdate: 'afterkeydown'">
@@ -346,48 +344,40 @@ name="ldap_base_dn" id="ldap_base_dn" placeholder="e.g. dc=mydomain,dc=com" - data-error="Please input LDAP Base DN" data-bind="enable: ldap_enabled, value: ldap_base_dn, valueUpdate: 'afterkeydown'">
-
-
- - - -
-
- - - -
+
+ + +
-
-
- - - -
+
+ + + +
+
+ + +
@@ -398,7 +388,6 @@ name="ldap_filter_basic" id="ldap_filter_basic" placeholder="e.g. (objectClass=inetorgperson)" - data-error="Please input LDAP filter" data-bind="enable: ldap_enabled, value: ldap_filter_basic, valueUpdate: 'afterkeydown'">
@@ -409,33 +398,30 @@ name="ldap_filter_username" id="ldap_filter_username" placeholder="e.g. uid" - data-error="Please input field for username filtering" data-bind="enable: ldap_enabled, value: ldap_filter_username, valueUpdate: 'afterkeydown'">
-
-
- - - -
-
- - - -
+
+ + + +
+
+ + +
@@ -463,7 +449,6 @@
@@ -474,7 +459,6 @@ name="ldap_operator_group" id="ldap_operator_group" placeholder="e.g. cn=operators,dc=mydomain,dc=com" - data-error="Please input LDAP DN for Operator group" data-bind="enable: ldap_enabled() && ldap_sg_enabled(), value: ldap_operator_group, valueUpdate: 'afterkeydown'">
@@ -483,7 +467,6 @@
@@ -516,7 +499,6 @@ name="autoprovisioning_attribute" id="autoprovisioning_attribute" placeholder="e.g. eduPersonEntitlement" - data-error=" Please input field responsible for autoprovisioning" data-bind="enable: ldap_enabled() && autoprovisioning(), value: autoprovisioning_attribute, valueUpdate: 'afterkeydown'">
@@ -528,7 +510,6 @@ name="urn_value" id="urn_value" placeholder="e.g. urn:mace:" - data-error="Please fill this field" data-bind="enable: ldap_enabled() && autoprovisioning(), value: urn_value, valueUpdate: 'afterkeydown'"> {% if error %} Please input the correct prefix for your urn value @@ -554,561 +535,556 @@
+
+
Notice!
+

Users will lose their associated zones unless + they already have their auto-provisioning field + prepopulated.

+
- -
- - -
-
-
-

Settings Help

-
- -
-
-
Enable LDAP Authentication
-
Turn on / off the LDAP authentication.
-
Type
-
Select your current directory service type. -
    -
  • - OpenLDAP - Open source implementation of the - Lightweight - Directory Access Protocol. -
    • -
  • - Active Directory - Active Directory is a - directory - service that Microsoft developed for the Windows - domain - networks. -
    • -
-
-
ADMINISTRATOR INFO
-
Your LDAP connection string and admin credential used by - PDA to - query user information. -
    -
  • - LDAP URI - The fully qualified domain names of - your - directory servers. (e.g. ldap://127.0.0.1:389) -
    • -
  • - LDAP Base DN - The point from where a PDA will - search - for users. -
    • -
  • - LDAP admin username - Your LDAP administrator - user which - has permission to query information in the Base - DN - above. Not needed for Active Directory - authentication. -
    • -
  • - LDAP admin password - The password of LDAP - administrator - user. Not needed for Active Directory - authentication. -
    • -
  • - Active Directory domain - Active Directory - domain used. -
    • -
-
-
FILTERS
-
Define how you want to filter your user in LDAP query. -
    -
  • - Basic filter - The filter that will be applied - to all - LDAP query by PDA. (e.g. - (objectClass=inetorgperson) for OpenLDAP - and (objectClass=organizationalPerson) - for Active Directory) -
    • -
  • - Username field - The field PDA will look for - user's - username. (e.g. uid for OpenLDAP and sAMAccountName - for Active Directory) -
    • -
  • - Group filter - The filter that will be applied - to all - LDAP group queries by PDA. (e.g. (objectClass=groupOfNames) - for OpenLDAP) -
    • -
  • - Group name field - The field PDA will look for - group - names. (e.g. member for OpenLDAP) -
    • -
-
-
GROUP SECURITY
-
User can be assigned to PDA's User or Admin group by - matching - following LDAP Group. -
    -
  • - Status - Turn on / off group security feature. -
    • -
  • - Admin group - Your LDAP admin group. -
    • -
  • - Operator group - Your LDAP operator group. -
    • -
  • - User group - Your LDAP user group. -
    • -
-
-
ADVANCE
-
Provision PDA user privileges based on LDAP Object - Attributes. - Alternative to Group Security Role Management. -
    -
  • - Roles Autoprovisioning - If toggled on, the PDA - Role and - the associations of users found in the local db, - will be - instantly updated from the LDAP server every - time they - log in. -
    • -
  • - Roles provisioning field - The attribute in the - ldap - server populated by the urn values where PDA - will look - for a new Role and/or new associations to - domains/accounts. -
    • -
  • - Urn prefix - The prefix used before the static - keyword - "powerdns-admin" for your entitlements in the - ldap - server. Must comply with RFC no.8141. -
    • -
  • - Purge Roles If Empty - If toggled on, ldap - entries that - have no valid "powerdns-admin" records to their - autoprovisioning field, will lose all their - associations - with any zone or account, also reverting to a - User in - the process, despite their current role in the - local db.
    - If toggled off, in the same scenario they get to - keep - their existing associations and their current - Role. -
    • -
-
-
-
-
- -
- -
- -
- + -
-
-
-
- - +
+
+
+

Settings Help

+
+ +
+
+
Enable LDAP Authentication
+
Turn on / off the LDAP authentication.
+
Type
+
Select your current directory service type. +
    +
  • + OpenLDAP - Open source implementation of the + Lightweight + Directory Access Protocol. +
    • +
  • + Active Directory - Active Directory is a + directory + service that Microsoft developed for the + Windows + domain + networks. +
    • +
+
+
ADMINISTRATOR INFO
+
Your LDAP connection string and admin credential + used by + PDA to + query user information. +
    +
  • + LDAP URI - The fully qualified domain names + of + your + directory servers. (e.g. + ldap://127.0.0.1:389) +
    • +
  • + LDAP Base DN - The point from where a PDA + will + search + for users. +
    • +
  • + LDAP admin username - Your LDAP + administrator + user which + has permission to query information in the + Base + DN + above. Not needed for Active Directory + authentication. +
    • +
  • + LDAP admin password - The password of LDAP + administrator + user. Not needed for Active Directory + authentication. +
    • +
  • + Active Directory domain - Active Directory + domain used. +
    • +
+
+
FILTERS
+
Define how you want to filter your user in LDAP + query. +
    +
  • + Basic filter - The filter that will be + applied + to all + LDAP query by PDA. (e.g. + (objectClass=inetorgperson) for + OpenLDAP + and + (objectClass=organizationalPerson) + for Active Directory) +
    • +
  • + Username field - The field PDA will look for + user's + username. (e.g. uid for OpenLDAP and + sAMAccountName + for Active Directory) +
    • +
  • + Group filter - The filter that will be + applied + to all + LDAP group queries by PDA. (e.g. (objectClass=groupOfNames) + for OpenLDAP) +
    • +
  • + Group name field - The field PDA will look + for + group + names. (e.g. member for OpenLDAP) +
    • +
+
+
GROUP SECURITY
+
User can be assigned to PDA's User or Admin group by + matching + following LDAP Group. +
    +
  • + Status - Turn on / off group security + feature. +
    • +
  • + Admin group - Your LDAP admin group. +
    • +
  • + Operator group - Your LDAP operator group. +
    • +
  • + User group - Your LDAP user group. +
    • +
+
+
ADVANCE
+
Provision PDA user privileges based on LDAP Object + Attributes. + Alternative to Group Security Role Management. +
    +
  • + Roles Autoprovisioning - If toggled on, the + PDA + Role and + the associations of users found in the local + db, + will be + instantly updated from the LDAP server every + time they + log in. +
    • +
  • + Roles provisioning field - The attribute in + the + ldap + server populated by the urn values where PDA + will look + for a new Role and/or new associations to + domains/accounts. +
    • +
  • + Urn prefix - The prefix used before the + static + keyword + "powerdns-admin" for your entitlements in + the + ldap + server. Must comply with RFC no.8141. +
    • +
  • + Purge Roles If Empty - If toggled on, ldap + entries that + have no valid "powerdns-admin" records to + their + autoprovisioning field, will lose all their + associations + with any zone or account, also reverting to + a + User in + the process, despite their current role in + the + local db.
    + If toggled off, in the same scenario they + get to + keep + their existing associations and their + current + Role. +
    • +
+
+
+
+ +
+ +
+ +
+ +
+ + +
+
+

Google OAuth Settings

-
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
- - - -
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
- -
- - -
-
-
-

Settings Help

-
- -
-

Fill in all the fields in the left form.

-

Make sure you add PDA redirection URI (e.g - http://localhost:9191/google/authorized) to your Google App - Credentials Restriction.

-
-
- -
- -
- -
- + -
-
-
-
- - +
+
+
+

Settings Help

+
+ +
+

Fill in all the fields in the left form.

+

Make sure you add PDA redirection URI (e.g + http://localhost:9191/google/authorized) to your Google + App + Credentials Restriction.

+
+ +
+ +
+ +
+ +
+ + +
+
+

GitHub OAuth Settings

-
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
- - - -
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
- -
- - -
-
-
-

Settings Help

-
- -
-

Fill in all the fields in the left form.

-
-
- -
- -
- -
- + -
-
-
-
- - +
+
+
+

Settings Help

+
+ +
+

Fill in all the fields in the left form.

+
+ +
+ +
+ +
+ +
+ + +
+
+

Azure OAuth Settings

-
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
- - - -
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
Group Security
@@ -1135,7 +1111,6 @@ name="azure_admin_group" id="azure_admin_group" placeholder="e.g. 00000000-0000-0000-0000-000000000000" - data-error="Please input the ID for Admin group" data-bind="enable: azure_oauth_enabled() && azure_sg_enabled(), value: azure_admin_group, valueUpdate: 'afterkeydown'">
@@ -1146,7 +1121,6 @@ name="azure_operator_group" id="azure_operator_group" placeholder="e.g. 00000000-0000-0000-0000-000000000000" - data-error="Please input the ID for Operator group" data-bind="enable: azure_oauth_enabled() && azure_sg_enabled(), value: azure_operator_group, valueUpdate: 'afterkeydown'">
@@ -1155,7 +1129,6 @@
@@ -1193,7 +1166,6 @@ name="azure_group_accounts_name" id="azure_group_accounts_name" placeholder="e.g. displayName" - data-error="Please input the Claim for Azure group name" data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_name, valueUpdate: 'afterkeydown'">
@@ -1205,7 +1177,6 @@ name="azure_group_accounts_name_re" id="azure_group_accounts_name_re" placeholder="e.g. (.*)" - data-error="Please input the regex for Azure group name" data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_name_re, valueUpdate: 'afterkeydown'">
@@ -1217,7 +1188,6 @@ name="azure_group_accounts_description" id="azure_group_accounts_description" placeholder="e.g. description. If empty uses whole string" - data-error="Please input the Claim for Azure group description" data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_description, valueUpdate: 'afterkeydown'">
@@ -1229,7 +1199,6 @@ name="azure_group_accounts_description_re" id="azure_group_accounts_description_re" placeholder="e.g. (.*). If empty uses whole string" - data-error="Please input the regex for Azure group description" data-bind="enable: azure_oauth_enabled() && azure_group_accounts_enabled(), value: azure_group_accounts_description_re, valueUpdate: 'afterkeydown'">
@@ -1238,199 +1207,194 @@
- -
- - -
-
-
-

Settings Help

-
- -
-

Fill in all the fields in the left form.

-

You first need to define an Application Registration in your - Azure - Active Directory, with the appropriate HTTPS URL for this - endpoint, - and with the appropriate rights, as explained in the - documentation.

-

-

    -
  • Under the Azure Active Directory, select App - Registrations, and - create a new one. Give it any name you want, and the - Redirect - URI shoule be type 'Web' and of the format https://powerdnsadmin/azure/authorized - (replace the host name approriately). -
    • -
  • Select the newly-created registration
    • -
  • On the Overview page, the Application ID is your new - Client ID - to use with PowerDNS-Admin -
    • -
  • On the Overview page, make a note of your - Directory/Tenant ID - - you need it for the API URLs later -
    • -
  • Ensure Access Tokens are enabled in the Authentication - section -
    • -
  • Under Certificates and Secrets, create a new Client - Secret. Note - this secret as it is the new Client Secret to use with - PowerDNS-Admin -
    • -
  • Under API Permissions, you need to add permissions. Add - permissions for Graph API, Delegated. Add: email, - openid, - profile, GroupMember.Read, User.Read and possibly - User.Read.All. - You then need to grant admin approval for your - organisation. -
    • -
  • For the Scope, use User.Read openid mail profile -
    • -
  • Replace the [tenantID] in the default URLs for authorize - and - token with your Tenant ID. -
    • -
-

-

If AZURE GROUP ACCOUNT SYNC/CREATION is enabled, - Accounts will - be created automatically based on group membership. If an - Account - exists, an authenticated user with group membership is added - to the - Account

-
-
- -
- -
- -
- + -
-
-
-
- - +
+
+
+

Settings Help

+
+ +
+

Fill in all the fields in the left form.

+

You first need to define an Application Registration in + your + Azure + Active Directory, with the appropriate HTTPS URL for + this + endpoint, + and with the appropriate rights, as explained in the + documentation.

+

+

    +
  • Under the Azure Active Directory, select App + Registrations, and + create a new one. Give it any name you want, and the + Redirect + URI shoule be type 'Web' and of the format https://powerdnsadmin/azure/authorized + (replace the host name approriately). +
    • +
  • Select the newly-created registration
    • +
  • On the Overview page, the Application ID is your new + Client ID + to use with PowerDNS-Admin +
    • +
  • On the Overview page, make a note of your + Directory/Tenant ID - + you need it for the API URLs later +
    • +
  • Ensure Access Tokens are enabled in the + Authentication + section +
    • +
  • Under Certificates and Secrets, create a new Client + Secret. Note + this secret as it is the new Client Secret to use + with + PowerDNS-Admin +
    • +
  • Under API Permissions, you need to add permissions. + Add + permissions for Graph API, Delegated. Add: email, + openid, + profile, GroupMember.Read, User.Read and possibly + User.Read.All. + You then need to grant admin approval for your + organisation. +
    • +
  • For the Scope, use User.Read openid mail + profile +
    • +
  • Replace the [tenantID] in the default URLs for + authorize + and + token with your Tenant ID. +
    • +
+

+

If AZURE GROUP ACCOUNT SYNC/CREATION is enabled, + Accounts will + be created automatically based on group membership. If + an + Account + exists, an authenticated user with group membership is + added + to the + Account

+
+ +
+ +
+ +
+ +
+ + +
+
+

OpenID Connect OAuth Settings

-
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
- - - -
-
- - -
-
- - - -
-
- - - -
-
- - - -
-
- - - -
-
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + +
+
+ + + +
+
+ + + +
+
+ + + +
+
+ + + +
Claims
@@ -1439,7 +1403,6 @@ name="oidc_oauth_username" id="oidc_oauth_username" placeholder="e.g. preferred_username" - data-error="Please input Username claim" data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_username, valueUpdate: 'afterkeydown'">
@@ -1448,7 +1411,6 @@
@@ -1458,7 +1420,6 @@ name="oidc_oauth_firstname" id="oidc_oauth_firstname" placeholder="e.g. given_name" - data-error="Please input First Name claim" data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_firstname, valueUpdate: 'afterkeydown'">
@@ -1468,7 +1429,6 @@ name="oidc_oauth_last_name" id="oidc_oauth_last_name" placeholder="e.g. family_name" - data-error="Please input Last Name claim" data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_last_name, valueUpdate: 'afterkeydown'">
@@ -1482,7 +1442,6 @@ name="oidc_oauth_account_name_property" id="oidc_oauth_account_name_property" placeholder="e.g. account_name" - data-error="Please input property containing account_name" data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_account_name_property, valueUpdate: 'afterkeydown'">
@@ -1494,7 +1453,6 @@ name="oidc_oauth_account_description_property" id="oidc_oauth_account_description_property" placeholder="e.g. account_description" - data-error="Please input property containing account_description" data-bind="enable: oidc_oauth_enabled, value: oidc_oauth_account_description_property, valueUpdate: 'afterkeydown'">
@@ -1503,43 +1461,44 @@
- -
- -
-
-
-

Settings Help

-
- -
-

Fill in all the fields in the left form.

-
-
- + +
+
+
+

Settings Help

+
+ +
+

Fill in all the fields in the left form.

+
+ +
+ +
+
- +
- -
- + +
+
- +
- + +
+
+ +
+
- -
- -
- -
- + +
@@ -1549,6 +1508,12 @@ {% endblock %} +{% block head_styles %} + +{% endblock %} + {% block extrascripts %} {% assets "js_validation" -%} @@ -1565,334 +1530,6 @@ model.init(true); }) - - {% endblock %} {% block modals %}