A PowerDNS web interface with advanced features
Go to file
2017-12-05 03:48:18 +01:00
app fixed name-id formating and name-id 2017-12-05 03:48:18 +01:00
upload/avatar Adjustment in user_profile template. Add avatar uploading support 2015-12-17 00:50:28 +07:00
.gitignore ignore idp cert 2017-10-31 19:27:15 +01:00
.travis.yml updated travis and config_template 2017-11-02 02:32:51 +01:00
config_template.py added standard SAML logout method using metadata 2017-12-05 00:14:31 +01:00
create_db.py Modify create_db.py, add auto-ptr setting inserting 2016-11-21 13:43:55 +01:00
db_downgrade.py Change shebang lines to work universally 2016-09-17 06:49:23 -07:00
db_migrate.py Change shebang lines to work universally 2016-09-17 06:49:23 -07:00
db_upgrade.py Change shebang lines to work universally 2016-09-17 06:49:23 -07:00
docker-compose.yml Add Docker Compose file 2016-07-07 12:14:40 +07:00
LICENSE Add MIT LICENSE file 2016-01-09 09:43:04 +07:00
README.md Merge branch 'master' into ldap_group_security 2017-11-02 23:23:36 +01:00
requirements.txt fixed requirements. caused redirect loop 2017-10-31 18:14:38 +01:00
run_travis.sh added basic travis script 2017-11-02 02:15:33 +01:00
run.py Google OAuth 2017-09-22 15:28:09 +01:00

PowerDNS-Admin

PowerDNS Web-GUI - Built by Flask Build Status

Features:

  • Multiple domain management
  • Local / LDAP user authentication
  • Support Two-factor authentication (TOTP)
  • Support SAML authentication
  • Google oauth authentication
  • Github oauth authentication
  • User management
  • User access management based on domain
  • User activity logging
  • Dashboard and pdns service statistics
  • DynDNS 2 protocol support
  • Edit IPv6 PTRs using IPv6 addresses directly (no more editing of literal addresses!)

Setup

PowerDNS Version Support:

PowerDNS-Admin supports PowerDNS autoritative server versions 3.4.2 and higher.

pdns Service

I assume that you have already installed powerdns service. Make sure that your /etc/pdns/pdns.conf has these contents

PowerDNS 4.0.0 and later

api=yes
api-key=your-powerdns-api-key
webserver=yes

PowerDNS before 4.0.0

experimental-json-interface=yes
experimental-api-key=your-powerdns-api-key
webserver=yes

This will enable API access in PowerDNS so PowerDNS-Admin can intergrate with PowerDNS.

Create Database

We will create a database which used by this web application. Please note that this database is difference from pdns database itself.

You could use any database that SQLAlchemy supports. For example MySQL (you will need to pip install MySQL-python to use MySQL backend):

MariaDB [(none)]> CREATE DATABASE powerdnsadmin;

MariaDB [(none)]> GRANT ALL PRIVILEGES ON powerdnsadmin.* TO powerdnsadmin@'%' IDENTIFIED BY 'your-password';

For testing purpose, you could also use SQLite as backend. This way you do not have to install MySQL-python dependency.

PowerDNS-Admin

In this installation guide, I am using CentOS 7 and run my python stuffs with virtualenv. If you don't have it, lets install it:

$ sudo yum install python-pip
$ sudo pip install virtualenv

In your python web app directory, create a flask directory via virtualenv

$ virtualenv flask

Enable virtualenv and install python 3rd libraries

$ source ./flask/bin/activate
(flask)$ pip install -r requirements.txt

Web application configuration is stored in config.py file. Let's clone it from config_template.py file and then edit it

(flask)$ cp config_template.py config.py 
(flask)$ vim config.py

You can configure group based security by tweaking the below parameters in config.py. Groups membership comes from LDAP. Setting LDAP_GROUP_SECURITY to True enables group-based security. With this enabled only members of the two groups listed below are allowed to login. Members of LDAP_ADMIN_GROUP will get the Administrator role and members of LDAP_USER_GROUP will get the User role. Sample config below:

LDAP_GROUP_SECURITY = True
LDAP_ADMIN_GROUP = 'CN=PowerDNS-Admin Admin,OU=Custom,DC=ivan,DC=local'
LDAP_USER_GROUP = 'CN=PowerDNS-Admin User,OU=Custom,DC=ivan,DC=local'

Create database after having proper configs

(flask)% ./create_db.py

Run the application and enjoy!

(flask)$ ./run.py

SAML Authentication

SAML authentication is supported. Setting are retrieved from Metdata-XML. Metadata URL is configured in config.py as well as caching interval. Following Assertions are supported and used by this application:

  • nameidentifier in form of email address as user login
  • email used as user email address
  • givenname used as firstname
  • surname used as lastname

ADFS claim rules as example

Microsoft Active Directory Federation Services can be used as Identity Provider for SAML login. The Following rules should be configured to send all attribute information to PowerDNS-Admin. The nameidentifier should be something stable from the idp side. All other attributes are update when singing in.

sending the nameidentifier

Name-Identifiers Type is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

c:[Type == "<here goes your source claim>"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

sending the firstname

Name-Identifiers Type is "givenname"

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"]
 => issue(Type = "givenname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");

sending the lastname

Name-Identifiers Type is "surname"

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"]
 => issue(Type = "surname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:transient");

sending the email

Name-Identifiers Type is "email"

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
 => issue(Type = "email", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Screenshots

login page dashboard create domain page manage domain page two-factor authentication config