1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 |
- #
- # /etc/grafana/ldap.toml (salt managed)
- #
- # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
- # [log]
- # filters = ldap:debug
- [[servers]]
- # Ldap server host (specify multiple hosts space separated)
- host = "{{ config.host }}"
- # Default port is 389 or 636 if use_ssl = true
- port = 636
- # Set to true if ldap server supports TLS
- use_ssl = true
- # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
- start_tls = false
- # set to true if you want to skip ssl cert validation
- ssl_skip_verify = false
- # set to the path to your root CA certificate or leave unset to use system defaults
- # root_ca_cert = /path/to/certificate.crt
- # Search user bind dn
- bind_dn = "{{ config.bind_dn }}"
- # Search user bind password
- # If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
- bind_password = "{{ config.bind_password }}"
- # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
- search_filter = "(uid=%s)"
- # An array of base dns to search through
- search_base_dns = ["dc=ffho,dc=net"]
- # In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
- # This is done by enabling group_search_filter below. You must also set member_of= "cn"
- # in [servers.attributes] below.
- # Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
- # can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
- # below in such a way that the user's recursive group membership is considered.
- #
- # Nested Groups + Active Directory (AD) Example:
- #
- # AD groups store the Distinguished Names (DNs) of members, so your filter must
- # recursively search your groups for the authenticating user's DN. For example:
- #
- # group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
- # group_search_filter_user_attribute = "distinguishedName"
- # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
- #
- # [servers.attributes]
- # ...
- # member_of = "distinguishedName"
- ## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
- # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
- ## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
- ## Defaults to the value of username in [server.attributes]
- ## Valid options are any of your values in [servers.attributes]
- ## If you are using nested groups you probably want to set this and member_of in
- ## [servers.attributes] to "distinguishedName"
- # group_search_filter_user_attribute = "distinguishedName"
- ## An array of the base DNs to search through for groups. Typically uses ou=groups
- # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
- # Specify names of the ldap attributes your ldap uses
- [servers.attributes]
- name = "givenName"
- surname = "sn"
- username = "uid"
- member_of = "memberOf"
- email = "mail"
- # Map ldap groups to grafana org roles
- [[servers.group_mappings]]
- group_dn = "cn=noc,ou=Groups,dc=ffho,dc=net"
- org_role = "Admin"
- # The Grafana organization database id, optional, if left out the default org (id 1) will be used
- # org_id = 1
- [[servers.group_mappings]]
- group_dn = "cn=ffho,ou=Groups,dc=ffho,dc=net"
- org_role = "Editor"
- [[servers.group_mappings]]
- # If you want to match all (or no ldap groups) then you can use wildcard
- group_dn = "*"
- org_role = "Viewer"
|