ldap.toml.tmpl 3.5 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889
  1. #
  2. # /etc/grafana/ldap.toml (salt managed)
  3. #
  4. # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
  5. # [log]
  6. # filters = ldap:debug
  7. [[servers]]
  8. # Ldap server host (specify multiple hosts space separated)
  9. host = "{{ config.host }}"
  10. # Default port is 389 or 636 if use_ssl = true
  11. port = 636
  12. # Set to true if ldap server supports TLS
  13. use_ssl = true
  14. # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
  15. start_tls = false
  16. # set to true if you want to skip ssl cert validation
  17. ssl_skip_verify = false
  18. # set to the path to your root CA certificate or leave unset to use system defaults
  19. # root_ca_cert = /path/to/certificate.crt
  20. # Search user bind dn
  21. bind_dn = "{{ config.bind_dn }}"
  22. # Search user bind password
  23. # If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""
  24. bind_password = "{{ config.bind_password }}"
  25. # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
  26. search_filter = "(uid=%s)"
  27. # An array of base dns to search through
  28. search_base_dns = ["dc=ffho,dc=net"]
  29. # In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
  30. # This is done by enabling group_search_filter below. You must also set member_of= "cn"
  31. # in [servers.attributes] below.
  32. # Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
  33. # can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
  34. # below in such a way that the user's recursive group membership is considered.
  35. #
  36. # Nested Groups + Active Directory (AD) Example:
  37. #
  38. # AD groups store the Distinguished Names (DNs) of members, so your filter must
  39. # recursively search your groups for the authenticating user's DN. For example:
  40. #
  41. # group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
  42. # group_search_filter_user_attribute = "distinguishedName"
  43. # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
  44. #
  45. # [servers.attributes]
  46. # ...
  47. # member_of = "distinguishedName"
  48. ## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
  49. # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
  50. ## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
  51. ## Defaults to the value of username in [server.attributes]
  52. ## Valid options are any of your values in [servers.attributes]
  53. ## If you are using nested groups you probably want to set this and member_of in
  54. ## [servers.attributes] to "distinguishedName"
  55. # group_search_filter_user_attribute = "distinguishedName"
  56. ## An array of the base DNs to search through for groups. Typically uses ou=groups
  57. # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
  58. # Specify names of the ldap attributes your ldap uses
  59. [servers.attributes]
  60. name = "givenName"
  61. surname = "sn"
  62. username = "uid"
  63. member_of = "memberOf"
  64. email = "mail"
  65. # Map ldap groups to grafana org roles
  66. [[servers.group_mappings]]
  67. group_dn = "cn=noc,ou=Groups,dc=ffho,dc=net"
  68. org_role = "Admin"
  69. # The Grafana organization database id, optional, if left out the default org (id 1) will be used
  70. # org_id = 1
  71. [[servers.group_mappings]]
  72. group_dn = "cn=ffho,ou=Groups,dc=ffho,dc=net"
  73. org_role = "Editor"
  74. [[servers.group_mappings]]
  75. # If you want to match all (or no ldap groups) then you can use wildcard
  76. group_dn = "*"
  77. org_role = "Viewer"