In my adventure to add centralized authentication to a portion of my infrastructure, I decided to add Grafana to my list of apps using LDAP. I have had a Grafana/Influx/Telegraf stack up in my infrastructure for a long time and have no intention of removing it, so its a perfect candidate for this treatment.
While Grafana includes some enterprise features for purchase, we will just be using the free features available. These can be used to setup basic authentication for login, and roles based on LDAP groups. This can provide admin, viewer, and editor capabilities. For my instance, I’ll be focusing on a basic admin user, with all other LDAP logins from my server going to the viewer role.
- Admin
- Administrator user
- Editor
- edit and view dashboards
- Viewer
- view dashboards
Setup
As with all of my centralized authentication pieces, before doing anything to Grafana, we need an authentication account on the LDAP server. Adding a UCS Authentication Account is straight forward to do.
Grafana uses a configuration file to setup its LDAP configuration. This is enabled using the following environment variables in Docker. These will turn on LDAP authentication, allow LDAP users to be added to Grafana automatically, and configure the location of the ldap.toml file in the container.
- GF_AUTH_LDAP_ENABLED = true
- GF_AUTH_LDAP_CONFIG_FILE = /etc/grafana/ldap.toml
- GF_AUTH_LDAP_ALLOW_SIGN_UP = true
The ldap configuration file can be mounted to the Grafana container using a docker volume.
- /mnt/data/grafana/ldap.toml:/etc/grafana/ldap.toml
With the volume and environment variables set, we’re ready to create the ldap.toml file
[[servers]] # Ldap server host (specify multiple hosts space separated) host = "ucs.rapternet.us" # Default port is 389 or 636 if use_ssl = true port = 7636 # Set to true if ldap server supports TLS use_ssl = true # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS) start_tls = false # set to true if you want to skip ssl cert validation ssl_skip_verify = true # set to the path to your root CA certificate or leave unset to use system defaults # root_ca_cert = "/path/to/certificate.crt" # Authentication against LDAP servers requiring client certificates # client_cert = "/path/to/client.crt" # client_key = "/path/to/client.key" # Search user bind dn bind_dn = "uid=auth-grafana,cn=users,dc=rapternet,dc=us" # Search user bind password # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" bind_password = 'myCoolPassword' # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" # Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))" search_filter = "(uid=%s)" # An array of base dns to search through search_base_dns = ["dc=rapternet,dc=us"] # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" # group_search_filter_user_attribute = "distinguishedName" group_search_base_dns = ["dc=rapternet,dc=us"] #group_search_filter_user_attribute = "uid" #group_search_filter = "(uid={{%s}})" # Specify names of the ldap attributes your ldap uses [servers.attributes] name = "givenName" surname = "sn" username = "uid" member_of = "memberOf" email = "mailPrimaryAddress" [[servers.group_mappings]] group_dn = "cn=Administrators,cn=Builtin,dc=rapternet,dc=us" org_role = "Admin" grafana_admin = true
Group Setup
Getting the groups to work required me to correct my UCS instance’s problem with the memberOf attribute. Once this was done, the configuration for Grafana is pretty straght forward to use the builtin Administrators group.
[[servers.group_mappings]] group_dn = "cn=Administrators,cn=Builtin,dc=rapternet,dc=us" org_role = "Admin" grafana_admin = true [[servers.group_mappings]] group_dn = "*" org_role = "Viewer"
This set of configurations provides 2 different roles with the groups associated to them. I have one role for administrators, using the administrators group from Univention. The second role is for a viewer of the Grafana dashboard, which is setup as any user on my LDAP server. I didn’t add a group specific to Grafana viewership yet, though if I did, the group name would go in the group_dn property for it.
Conclusion
Setting up Grafana was easy to do, the more that I work on the LDAP systems, the easier it gets. This was the first application I tried to setup, and the only reason I had issues with it earlier was due to the problems I had with the memberOf attribute in UCS.
My configuration has my normal LDAP user able to view my Grafana data, and my administrator user able to configure everything. A potential upgrade to this would be to have a grafana_admin and grafana_viewer group to control access specific to Grafana.