Browse Source

grafana: add ldap configuration

Karsten Böddeker 4 years ago
parent
commit
1347340a3b
3 changed files with 105 additions and 4 deletions
  1. 10 3
      grafana/grafana.ini.tmpl
  2. 6 1
      grafana/init.sls
  3. 89 0
      grafana/ldap.toml.tmpl

+ 10 - 3
grafana/grafana.ini.tmpl

@@ -1,4 +1,7 @@
-##################### Grafana Configuration Example #####################
+#
+# /etc/grafana/grafana.ini (salt managed)
+#
+
 #
 # Everything has defaults so you only need to uncomment things you want to
 # change
@@ -267,9 +270,13 @@ org_role = Viewer
 
 #################################### Auth LDAP ##########################
 [auth.ldap]
+{%- if 'ldap' in config %}
 enabled = true
+{%- else %}
+enabled = false
+{%- endif %}
 config_file = /etc/grafana/ldap.toml
-allow_sign_up = false
+allow_sign_up = true
 
 #################################### SMTP / Emailing ##########################
 [smtp]
@@ -352,7 +359,7 @@ allow_sign_up = false
 ;rabbitmq_url = amqp://localhost/
 ;exchange = grafana_events
 
-;#################################### Dashboard JSON files ##########################
+#################################### Dashboard JSON files ##########################
 [dashboards.json]
 ;enabled = false
 ;path = /var/lib/grafana/dashboards

+ 6 - 1
grafana/init.sls

@@ -56,9 +56,14 @@ grafana-src:
 
 # copy LDAP config
 /etc/grafana/ldap.toml:
+{% if 'ldap' in node_config.grafana %}
   file.managed:
-    - source: salt://grafana/ldap.toml
+    - source: salt://grafana/ldap.toml.tmpl
     - template: jinja
+      config: {{node_config.grafana.ldap}}
+{% else %}
+  file.absent:
+{% endif %}
     - require:
       - pkg: grafana
 

+ 89 - 0
grafana/ldap.toml.tmpl

@@ -0,0 +1,89 @@
+#
+# /etc/grafana/ldap.toml (salt managed)
+#
+
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
+# [log]
+# filters = ldap:debug
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "{{ config.host }}"
+# Default port is 389 or 636 if use_ssl = true
+port = 636
+# Set to true if ldap server supports TLS
+use_ssl = true
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = /path/to/certificate.crt
+
+# Search user bind dn
+bind_dn = "uid=grafana,ou=Services,dc=ffho,dc=net"
+# Search user bind password
+# If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
+bind_password = "{{ config.bind_password }}"
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+search_filter = "(uid=%s)"
+
+# An array of base dns to search through
+search_base_dns = ["dc=ffho,dc=net"]
+
+# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
+# This is done by enabling group_search_filter below. You must also set member_of= "cn"
+# in [servers.attributes] below.
+
+# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
+# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
+# below in such a way that the user's recursive group membership is considered.
+#
+# Nested Groups + Active Directory (AD) Example:
+#
+#   AD groups store the Distinguished Names (DNs) of members, so your filter must
+#   recursively search your groups for the authenticating user's DN. For example:
+#
+#     group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
+#     group_search_filter_user_attribute = "distinguishedName"
+#     group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+#
+#     [servers.attributes]
+#     ...
+#     member_of = "distinguishedName"
+
+## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
+# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
+## Defaults to the value of username in [server.attributes]
+## Valid options are any of your values in [servers.attributes]
+## If you are using nested groups you probably want to set this and member_of in
+## [servers.attributes] to "distinguishedName"
+# group_search_filter_user_attribute = "distinguishedName"
+## An array of the base DNs to search through for groups. Typically uses ou=groups
+# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "uid"
+member_of = "memberOf"
+email =  "mail"
+
+# Map ldap groups to grafana org roles
+[[servers.group_mappings]]
+group_dn = "cn=noc,ou=Groups,dc=ffho,dc=net"
+org_role = "Admin"
+# The Grafana organization database id, optional, if left out the default org (id 1) will be used
+# org_id = 1
+
+[[servers.group_mappings]]
+group_dn = "cn=ffho,ou=Groups,dc=ffho,dc=net"
+org_role = "Editor"
+
+[[servers.group_mappings]]
+# If you want to match all (or no ldap groups) then you can use wildcard
+group_dn = "*"
+org_role = "Viewer"