Live Digital

月度归档: 2017 年 7 月

  • Grafana Active Directory LDAP configuration

    Grafana Active Directory LDAP configuration examples.

    Configration example below allows your active directory member user use their sAMAccountName login into your Grafana service.

    U need manage the Admin/Editor/Viewer roles in AD through add the user to the specialfied AD group.

    Remember, DN is case sensitive, this is very important.

    # Set to true to log user information returned from LDAP verbose_logging = false

    [[servers]]

    Ldap server host (specify multiple hosts space separated)

    host = "${livedig.yourServersIPorFQDN}"

    Default port is 389 or 636 if use_ssl = true

    port = 389

    Set to true if ldap server supports TLS

    use_ssl = false

    Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)

    start_tls = false

    set to true if you want to skip ssl cert validation

    ssl_skip_verify = false

    set to the path to your root CA certificate or leave unset to use system defaults

    root_ca_cert = "/path/to/certificate.crt"

    Search user bind dn

    bind_dn = "CN=robot,CN=IT System,CN=Users,DC=example,DC=io"

    Search user bind password

    If the password contains # or ; you have to wrap it with trippel quotes. Ex """#password;"""

    bind_password = '${livedig.urUserBaseDNPassword}'

    User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"

    search_filter = "(&(objectCategory=Person)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

    An array of base dns to search through

    search_base_dns = ["CN=Users,DC=example,DC=io"]

    In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.

    This is done by enabling group_search_filter below. You must also set member_of= "cn"

    in [servers.attributes] below.

    Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)

    #group_search_filter = ""

    An array of the base DNs to search through for groups. Typically uses ou=groups

    #group_search_base_dns = [""]

    Specify names of the ldap attributes your ldap uses

    [servers.attributes] name = "givenName" surname = "sn" username = "sAMAccountName" member_of = "memberOf" email = "mail"

    Map ldap groups to grafana org roles

    [[servers.group_mappings]] group_dn = "CN=Grafana Admin,CN=IT System,CN=Users,DC=example,DC=io" org_role = "Admin"

    The Grafana organization database id, optional, if left out the default org (id 1) will be used. Setting this allows for multiple group_dn's to be assigned to the same org_role provided the org_id differs

    org_id = 1

    [[servers.group_mappings]] group_dn = "CN=Grafana Editor,CN=IT System,CN=Users,DC=example,DC=io" org_role = "Editor"

    [[servers.group_mappings]]

    If you want to match all (or no ldap groups) then you can use wildcard

    group_dn = "CN=Grafana Viewer,CN=IT System,CN=Users,DC=example,DC=io" org_role = "Viewer"