blob: 0dec5024c895499553a489d031d016a728d92e98 [file] [log] [blame]
Doyoung Lee8f30e152019-05-21 16:23:07 -07001# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
2# [log]
3# filters = ldap:debug
4
5[[servers]]
6# Ldap server host (specify multiple hosts space separated)
7host = "127.0.0.1"
8# Default port is 389 or 636 if use_ssl = true
9port = 389
10# Set to true if ldap server supports TLS
11use_ssl = false
12# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
13start_tls = false
14# set to true if you want to skip ssl cert validation
15ssl_skip_verify = false
16# set to the path to your root CA certificate or leave unset to use system defaults
17# root_ca_cert = "/path/to/certificate.crt"
18
19# Search user bind dn
20bind_dn = "cn=admin,dc=grafana,dc=org"
21# Search user bind password
22# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
23bind_password = 'grafana'
24
25# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
26search_filter = "(cn=%s)"
27
28# An array of base dns to search through
29search_base_dns = ["dc=grafana,dc=org"]
30
31# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
32# This is done by enabling group_search_filter below. You must also set member_of= "cn"
33# in [servers.attributes] below.
34
35# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
36# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
37# below in such a way that the user's recursive group membership is considered.
38#
39# Nested Groups + Active Directory (AD) Example:
40#
41# AD groups store the Distinguished Names (DNs) of members, so your filter must
42# recursively search your groups for the authenticating user's DN. For example:
43#
44# group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
45# group_search_filter_user_attribute = "distinguishedName"
46# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
47#
48# [servers.attributes]
49# ...
50# member_of = "distinguishedName"
51
52## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
53# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
54## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
55## Defaults to the value of username in [server.attributes]
56## Valid options are any of your values in [servers.attributes]
57## If you are using nested groups you probably want to set this and member_of in
58## [servers.attributes] to "distinguishedName"
59# group_search_filter_user_attribute = "distinguishedName"
60## An array of the base DNs to search through for groups. Typically uses ou=groups
61# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
62
63# Specify names of the ldap attributes your ldap uses
64[servers.attributes]
65name = "givenName"
66surname = "sn"
67username = "cn"
68member_of = "memberOf"
69email = "email"
70
71# Map ldap groups to grafana org roles
72[[servers.group_mappings]]
73group_dn = "cn=admins,dc=grafana,dc=org"
74org_role = "Admin"
75# The Grafana organization database id, optional, if left out the default org (id 1) will be used
76# org_id = 1
77
78[[servers.group_mappings]]
79group_dn = "cn=users,dc=grafana,dc=org"
80org_role = "Editor"
81
82[[servers.group_mappings]]
83# If you want to match all (or no ldap groups) then you can use wildcard
84group_dn = "*"
85org_role = "Viewer"
86