2016-12-05 07:11:53 -05:00
|
|
|
{%- from "grafana/map.jinja" import server with context %}
|
|
|
|
|
{%- set ldap_params = server.auth.ldap %}
|
|
|
|
|
# Set to true to log user information returned from LDAP
|
|
|
|
|
verbose_logging = false
|
|
|
|
|
|
|
|
|
|
[[servers]]
|
|
|
|
|
# Ldap server host (specify multiple hosts space separated)
|
|
|
|
|
host = "{{ ldap_params.host }}"
|
|
|
|
|
# Default port is 389 or 636 if use_ssl = true
|
|
|
|
|
port = {{ ldap_params.port }}
|
|
|
|
|
# Set to true if ldap server supports TLS
|
|
|
|
|
use_ssl = {{ ldap_params.use_ssl|lower }}
|
|
|
|
|
|
|
|
|
|
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
|
|
|
|
|
start_tls = false
|
|
|
|
|
# set to true if you want to skip ssl cert validation
|
|
|
|
|
ssl_skip_verify = false
|
|
|
|
|
# set to the path to your root CA certificate or leave unset to use system defaults
|
|
|
|
|
# root_ca_cert = /path/to/certificate.crt
|
|
|
|
|
|
|
|
|
|
# Search user bind dn
|
|
|
|
|
bind_dn = "{{ ldap_params.bind_dn }}"
|
|
|
|
|
# Search user bind password
|
|
|
|
|
bind_password = "{{ ldap_params.bind_password }}"
|
|
|
|
|
|
|
|
|
|
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
|
|
|
|
|
search_filter = "{{ ldap_params.user_search_filter }}"
|
|
|
|
|
|
|
|
|
|
# An array of base dns to search through
|
|
|
|
|
search_base_dns = {{ ldap_params.user_search_base_dns }}
|
|
|
|
|
|
|
|
|
|
# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
|
|
|
|
|
# This is done by enabling group_search_filter below. You must also set member_of= "cn"
|
|
|
|
|
# in [servers.attributes] below.
|
|
|
|
|
|
|
|
|
|
# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
|
|
|
|
|
# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
|
|
|
|
|
# below in such a way that the user's recursive group membership is considered.
|
|
|
|
|
#
|
|
|
|
|
# Nested Groups + Active Directory (AD) Example:
|
|
|
|
|
#
|
|
|
|
|
# AD groups store the Distinguished Names (DNs) of members, so your filter must
|
|
|
|
|
# recursively search your groups for the authenticating user's DN. For example:
|
|
|
|
|
#
|
|
|
|
|
# group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
|
|
|
|
|
# group_search_filter_user_attribute = "distinguishedName"
|
|
|
|
|
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
|
|
|
|
|
#
|
|
|
|
|
# [servers.attributes]
|
|
|
|
|
# ...
|
|
|
|
|
# member_of = "distinguishedName"
|
|
|
|
|
|
|
|
|
|
## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
|
|
|
|
|
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
|
|
|
|
|
## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
|
|
|
|
|
## Defaults to the value of username in [server.attributes]
|
|
|
|
|
## Valid options are any of your values in [servers.attributes]
|
|
|
|
|
## If you are using nested groups you probably want to set this and member_of in
|
|
|
|
|
## [servers.attributes] to "distinguishedName"
|
|
|
|
|
# group_search_filter_user_attribute = "distinguishedName"
|
|
|
|
|
## An array of the base DNs to search through for groups. Typically uses ou=groups
|
|
|
|
|
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
|
|
|
|
|
# Specify names of the ldap attributes your ldap uses
|
|
|
|
|
|
|
|
|
|
{%- if ldap_params.group_search_filter is defined %}
|
|
|
|
|
group_search_filter = "{{ ldap_params.group_search_filter }}"
|
|
|
|
|
{%- endif %}
|
|
|
|
|
{%- if ldap_params.group_search_base_dns is defined %}
|
|
|
|
|
group_search_base_dns = {{ ldap_params.group_search_base_dns }}
|
|
|
|
|
{%- endif %}
|
|
|
|
|
|
|
|
|
|
[servers.attributes]
|
2016-12-13 07:53:05 -05:00
|
|
|
name = "{{ ldap_params.servers.attributes.name }}"
|
|
|
|
|
surname = "{{ ldap_params.servers.attributes.surname }}"
|
|
|
|
|
username = "{{ ldap_params.servers.attributes.username }}"
|
|
|
|
|
member_of = "{{ ldap_params.servers.attributes.member_of }}"
|
|
|
|
|
email = "{{ ldap_params.servers.attributes.email }}"
|
2016-12-05 07:11:53 -05:00
|
|
|
|
|
|
|
|
{%- if ldap_params.get('authorization', {}).get('enabled', False) %}
|
|
|
|
|
|
|
|
|
|
# Map ldap groups to grafana org roles
|
|
|
|
|
{%- if ldap_params.authorization.admin_group is defined %}
|
|
|
|
|
[[servers.group_mappings]]
|
|
|
|
|
group_dn = "{{ ldap_params.authorization.admin_group }}"
|
|
|
|
|
org_role = "Admin"
|
|
|
|
|
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
|
|
|
|
|
# org_id = 1
|
|
|
|
|
{%- endif %}
|
|
|
|
|
|
|
|
|
|
{%- if ldap_params.authorization.editor_group is defined %}
|
|
|
|
|
[[servers.group_mappings]]
|
|
|
|
|
group_dn = "{{ ldap_params.authorization.editor_group }}"
|
|
|
|
|
org_role = "Editor"
|
|
|
|
|
{%- endif %}
|
|
|
|
|
|
|
|
|
|
{%- if ldap_params.authorization.viewer_group is defined %}
|
|
|
|
|
[[servers.group_mappings]]
|
|
|
|
|
# If you want to match all (or no ldap groups) then you can use wildcard
|
|
|
|
|
group_dn = "{{ ldap_params.authorization.viewer_group }}"
|
|
|
|
|
org_role = "Viewer"
|
|
|
|
|
{%- endif %}
|
|
|
|
|
|
|
|
|
|
{%- else %}
|
|
|
|
|
{# Every user that can be authenticated is an admin #}
|
|
|
|
|
[[servers.group_mappings]]
|
|
|
|
|
group_dn = "*"
|
|
|
|
|
org_role = "Admin"
|
|
|
|
|
{%- endif %}
|
