Home Explore Help
Register Sign In
oscarleiva
/
energylink
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ldap: docker block readme update

Daniel Lee 7 years ago
parent
09c3569caa
commit
0b210a6f5d
2 changed files with 87 additions and 5 deletions
Unified View Show Diff Stats
  1. 85 0
      docker/blocks/openldap/ldap_dev.toml
  2. 2 5
      docker/blocks/openldap/notes.md

+ 85 - 0
docker/blocks/openldap/ldap_dev.toml
View File 

@@ -0,0 +1,85 @@
 
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
 
+# [log]
 
+# filters = ldap:debug
 
+
 
+[[servers]]
 
+# Ldap server host (specify multiple hosts space separated)
 
+host = "127.0.0.1"
 
+# Default port is 389 or 636 if use_ssl = true
 
+port = 389
 
+# Set to true if ldap server supports TLS
 
+use_ssl = false
 
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
 
+start_tls = false
 
+# set to true if you want to skip ssl cert validation
 
+ssl_skip_verify = false
 
+# set to the path to your root CA certificate or leave unset to use system defaults
 
+# root_ca_cert = "/path/to/certificate.crt"
 
+
 
+# Search user bind dn
 
+bind_dn = "cn=admin,dc=grafana,dc=org"
 
+# Search user bind password
 
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
 
+bind_password = 'grafana'
 
+
 
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
 
+search_filter = "(cn=%s)"
 
+
 
+# An array of base dns to search through
 
+search_base_dns = ["dc=grafana,dc=org"]
 
+
 
+# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
 
+# This is done by enabling group_search_filter below. You must also set member_of= "cn"
 
+# in [servers.attributes] below.
 
+
 
+# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
 
+# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
 
+# below in such a way that the user's recursive group membership is considered.
 
+#
 
+# Nested Groups + Active Directory (AD) Example:
 
+#
 
+#   AD groups store the Distinguished Names (DNs) of members, so your filter must
 
+#   recursively search your groups for the authenticating user's DN. For example:
 
+#
 
+#     group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
 
+#     group_search_filter_user_attribute = "distinguishedName"
 
+#     group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
 
+#
 
+#     [servers.attributes]
 
+#     ...
 
+#     member_of = "distinguishedName"
 
+
 
+## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
 
+# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
 
+## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
 
+## Defaults to the value of username in [server.attributes]
 
+## Valid options are any of your values in [servers.attributes]
 
+## If you are using nested groups you probably want to set this and member_of in
 
+## [servers.attributes] to "distinguishedName"
 
+# group_search_filter_user_attribute = "distinguishedName"
 
+## An array of the base DNs to search through for groups. Typically uses ou=groups
 
+# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
 
+
 
+# Specify names of the ldap attributes your ldap uses
 
+[servers.attributes]
 
+name = "givenName"
 
+surname = "sn"
 
+username = "cn"
 
+member_of = "memberOf"
 
+email =  "email"
 
+
 
+# Map ldap groups to grafana org roles
 
+[[servers.group_mappings]]
 
+group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
 
+org_role = "Admin"
 
+# The Grafana organization database id, optional, if left out the default org (id 1) will be used
 
+# org_id = 1
 
+
 
+[[servers.group_mappings]]
 
+group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
 
+org_role = "Editor"
 
+
 
+[[servers.group_mappings]]
 
+# If you want to match all (or no ldap groups) then you can use wildcard
 
+group_dn = "*"
 
+org_role = "Viewer"

+ 2 - 5
docker/blocks/openldap/notes.md
View File 

@@ -14,12 +14,12 @@ After adding ldif files to `prepopulate`:
 
 
 
 ## Enabling LDAP in Grafana
 
 ## Enabling LDAP in Grafana
 
 
 
-The default `ldap.toml` file in `conf` has host set to `127.0.0.1` and port to set to 389 so all you need to do is enable it in the .ini file to get Grafana to use this block:
 
+Copy the ldap_dev.toml file in this folder into your `conf` folder (it is gitignored already). To enable it in the .ini file to get Grafana to use this block:
 
 
 
 ```ini
 
 ```ini
 
 [auth.ldap]
 
 [auth.ldap]
 
 enabled = true
 
 enabled = true
 
-config_file = conf/ldap.toml
 
+config_file = conf/ldap_dev.toml
 
 ; allow_sign_up = true
 
 ; allow_sign_up = true
 
 ```
 
 ```
 
 
 
@@ -43,6 +43,3 @@ editors
 
 
 
 no groups
 
 no groups
 
   ldap-viewer
 
   ldap-viewer
 
-
 
-
 
-