Enable LDAP

In order to use LDAP integration you’ll first need to enable LDAP in the config file /etc/grafana/grafana.ini  (see notes section below) as well as specify the path to the LDAP specific configuration file (default: /etc/grafana/ldap.toml).

[auth.ldap]
# Set to `true` to enable LDAP integration (default: `false`)
enabled = true

# Path to the LDAP specific configuration file (default: `/etc/grafana/ldap.toml`)
config_file = /etc/grafana/ldap.toml

# Allow sign up should almost always be true (default) to allow new Grafana users to be created (if ldap authentication is ok). If set to
# false only pre-existing Grafana users will be able to login (if ldap authentication is ok).
allow_sign_up = true

During Debugging you may wish to add the following lines 

[log]
filters = ldap:debug

For mapping ldap groups to grafana org roles see Notes below!

Edit /etc/grafana.ldap.toml configuration file: 

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "1.1.1.1"
# Default port is 389 or 636 if use_ssl = true
port = 636
# Set to true if ldap server supports TLS
use_ssl = true
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=grafana,dc=org"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'removed'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
#search_filter = "(cn=%s)"
search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["dc=grafana,dc=org"]


# Specify names of the ldap attributes your ldap uses

[servers.attributes]
name = “givenName”
surname = “sn”
username = “sAMAccountName”
member_of = “memberOf”
email =  “mail”
# Map ldap groups to grafana org roles

[[servers.group_mappings]]
group_dn = “CN=Domain Admins,CN=Users,DC=doamain,DC=nz”
org_role = “Admin” grafana_
admin = true
org_id = 1        

[[servers.group_mappings]]
group_dn = “CN=Dev Admins,CN=Users,DC=doman,DC=nz” org_role = “Editor”

[[servers.group_mappings]] # If you want to match all (or no ldap groups) then you can use wildcard
group_dn = “*” org_role = “Viewer”

Test users by logging into grafana as admin and navigate to Server Admin > LDAP

Enter valid username and click Run

Debugging info can be found in /var/log/grafana/grafana.log

Map ldap groups to grafana org roles

From the Server Admin > Ldap > Test user mapping, you will see what groups the user belongs to.  These groups are matched in the ldap.toml file to grafana users and admins.  Note the group.mappings can take wildcards

# Map ldap groups to grafana org roles 
[[servers.group_mappings]] 
#group_dn = "CN=Domain Admins,CN=Users,DC=domain,DC=nz" org_role = "Admin" 
group_dn = "CN=* Admins,CN=Users,DC=domain,DC=nz" org_role = "Admin" 
grafana_admin = 
true org_id = 1

3.Active Directory to LDAP attribute mapping infor can be found here: http://www.kouti.com/tables/userattributes.htm

Notes: 

List config files: 
# rpm -qc grafana-enterprise
/etc/init.d/grafana-server
/etc/sysconfig/grafana-server
/usr/lib/systemd/system/grafana-server.service
# cat /etc/sysconfig/grafana-server
GRAFANA_USER=grafana
GRAFANA_GROUP=grafana
GRAFANA_HOME=/usr/share/grafana
LOG_DIR=/var/log/grafana
DATA_DIR=/var/lib/grafana
MAX_OPEN_FILES=10000
CONF_DIR=/etc/grafana
CONF_FILE=/etc/grafana/grafana.ini
RESTART_ON_UPGRADE=true
PLUGINS_DIR=/var/lib/grafana/plugins
PROVISIONING_CFG_DIR=/etc/grafana/provisioning
PID_FILE_DIR=/var/run/grafana
Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •