{%- from "grafana/map.jinja" import server with context %}
{%- set ldap_params = server.auth.ldap %}
# Set to true to log user information returned from LDAP
verbose_logging = false

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "{{ ldap_params.host }}"
# Default port is 389 or 636 if use_ssl = true
port = {{ ldap_params.port }}
# Set to true if ldap server supports TLS
use_ssl = {{ ldap_params.use_ssl|lower }}

# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = /path/to/certificate.crt

# Search user bind dn
bind_dn = "{{ ldap_params.bind_dn }}"
# Search user bind password
bind_password = "{{ ldap_params.bind_password }}"

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "{{ ldap_params.user_search_filter }}"

# An array of base dns to search through
search_base_dns = {{ ldap_params.user_search_base_dns }}

# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
# This is done by enabling group_search_filter below. You must also set member_of= "cn"
# in [servers.attributes] below.

# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
# below in such a way that the user's recursive group membership is considered.
#
# Nested Groups + Active Directory (AD) Example:
#
#   AD groups store the Distinguished Names (DNs) of members, so your filter must
#   recursively search your groups for the authenticating user's DN. For example:
#
#     group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
#     group_search_filter_user_attribute = "distinguishedName"
#     group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
#
#     [servers.attributes]
#     ...
#     member_of = "distinguishedName"

## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
## Defaults to the value of username in [server.attributes]
## Valid options are any of your values in [servers.attributes]
## If you are using nested groups you probably want to set this and member_of in
## [servers.attributes] to "distinguishedName"
# group_search_filter_user_attribute = "distinguishedName"
## An array of the base DNs to search through for groups. Typically uses ou=groups
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# Specify names of the ldap attributes your ldap uses

{%- if ldap_params.group_search_filter is defined %}
group_search_filter = "{{ ldap_params.group_search_filter }}"
{%- endif %}
{%- if ldap_params.group_search_base_dns is defined %}
group_search_base_dns = {{ ldap_params.group_search_base_dns }}
{%- endif %}

[servers.attributes]
name      = "{{ ldap_params.servers.attributes.name }}"
surname   = "{{ ldap_params.servers.attributes.surname }}"
username  = "{{ ldap_params.servers.attributes.username }}"
member_of = "{{ ldap_params.servers.attributes.member_of }}"
email     = "{{ ldap_params.servers.attributes.email }}"

{%- if ldap_params.get('authorization', {}).get('enabled', False) %}

# Map ldap groups to grafana org roles
{%- if ldap_params.authorization.admin_group is defined %}
[[servers.group_mappings]]
group_dn = "{{ ldap_params.authorization.admin_group }}"
org_role = "Admin"
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1
{%- endif %}

{%- if ldap_params.authorization.editor_group is defined %}
[[servers.group_mappings]]
group_dn = "{{ ldap_params.authorization.editor_group }}"
org_role = "Editor"
{%- endif %}

{%- if ldap_params.authorization.viewer_group is defined %}
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "{{ ldap_params.authorization.viewer_group }}"
org_role = "Viewer"
{%- endif %}

{%- else %}
{# Every user that can be authenticated is an admin #}
[[servers.group_mappings]]
group_dn = "*"
org_role = "Admin"
{%- endif %}