Live Digital

Grafana Active Directory LDAP configuration

作者:

Analyser

,

Grafana Active Directory LDAP configuration examples.

Configration example below allows your active directory member user use their sAMAccountName login into your Grafana service.

U need manage the Admin/Editor/Viewer roles in AD through add the user to the specialfied AD group.

Remember, DN is case sensitive, this is very important.

# Set to true to log user information returned from LDAP verbose_logging = false

[[servers]]

Ldap server host (specify multiple hosts space separated)

host = "${livedig.yourServersIPorFQDN}"

Default port is 389 or 636 if use_ssl = true

port = 389

Set to true if ldap server supports TLS

use_ssl = false

Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)

start_tls = false

set to true if you want to skip ssl cert validation

ssl_skip_verify = false

set to the path to your root CA certificate or leave unset to use system defaults

root_ca_cert = "/path/to/certificate.crt"

Search user bind dn

bind_dn = "CN=robot,CN=IT System,CN=Users,DC=example,DC=io"

Search user bind password

If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""

bind_password = '${livedig.urUserBaseDNPassword}'

User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"

search_filter = "(&(objectCategory=Person)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

An array of base dns to search through

search_base_dns = ["CN=Users,DC=example,DC=io"]

In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.

This is done by enabling group_search_filter below. You must also set member_of= "cn"

in [servers.attributes] below.

Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)

#group_search_filter = ""

An array of the base DNs to search through for groups. Typically uses ou=groups

#group_search_base_dns = [""]

Specify names of the ldap attributes your ldap uses

[servers.attributes] name = "givenName" surname = "sn" username = "sAMAccountName" member_of = "memberOf" email = "mail"

Map ldap groups to grafana org roles

[[servers.group_mappings]] group_dn = "CN=Grafana Admin,CN=IT System,CN=Users,DC=example,DC=io" org_role = "Admin"

The Grafana organization database id, optional, if left out the default org (id 1) will be used. Setting this allows for multiple group_dn's to be assigned to the same org_role provided the org_id differs

org_id = 1

[[servers.group_mappings]] group_dn = "CN=Grafana Editor,CN=IT System,CN=Users,DC=example,DC=io" org_role = "Editor"

[[servers.group_mappings]]

If you want to match all (or no ldap groups) then you can use wildcard

group_dn = "CN=Grafana Viewer,CN=IT System,CN=Users,DC=example,DC=io" org_role = "Viewer"

评论

《“Grafana Active Directory LDAP configuration”》 有 1 条评论

  1. Mike 的头像
    Mike

    I just want to thank whomever posted this as I had been searching through a large number of posts getting nowhere with my AD configuration for Grafana. So, thanks for posting this!

    回复

回复 Mike 取消回复

您的邮箱地址不会被公开。 必填项已用 * 标注

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理

更多文章