grafana集成LDAP

一、综述

本文包括docker容器安装grafana，以及ldap的配置。

二、grafana的安装

docker pull grafana/grafana

docker run \
--user root \
-d \
-p 3000:3000 \
--name=grafana \
-v /home/grafana:/var/lib/grafana \
grafana/grafana

三、集成ldap

1、开启LDAP认证
Grafana主配置文件grafana.ini中修改如下

docker ps

docker exec -it 725aae2a7080 /bin/bash

vi /etc/grafana/grafana.ini

#################################### Auth LDAP ##########################                                                 
[auth.ldap]                                                                                                               
enabled = true                                                                                                           
config_file = /etc/grafana/ldap.toml                                                                                      
# allow_sign_up = true                                                                                                    
                                                                                                                          
# LDAP background sync (Enterprise only)                                                                                  
# At 1 am every day                                                                                                       
# sync_cron = "0 0 1 * * *"                                                                                               
# active_sync_enabled = true

2、LDAP配置

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "192.168.5.66"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=xxx,dc=com"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'xxx'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)"

# An array of base dns to search through
search_base_dns = ["dc=xxx,dc=com"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "mail"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=grafana-admin,ou=grafana,ou=group,dc=xxx,dc=com"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "cn=grafana-users,ou=grafana,ou=group,dc=xxx,dc=com"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"