Doyoung Lee | 8f30e15 | 2019-05-21 16:23:07 -0700 | [diff] [blame] | 1 | # To troubleshoot and get more log info enable ldap debug logging in grafana.ini |
| 2 | # [log] |
| 3 | # filters = ldap:debug |
| 4 | |
| 5 | [[servers]] |
| 6 | # Ldap server host (specify multiple hosts space separated) |
| 7 | host = "127.0.0.1" |
| 8 | # Default port is 389 or 636 if use_ssl = true |
| 9 | port = 389 |
| 10 | # Set to true if ldap server supports TLS |
| 11 | use_ssl = false |
| 12 | # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS) |
| 13 | start_tls = false |
| 14 | # set to true if you want to skip ssl cert validation |
| 15 | ssl_skip_verify = false |
| 16 | # set to the path to your root CA certificate or leave unset to use system defaults |
| 17 | # root_ca_cert = "/path/to/certificate.crt" |
| 18 | |
| 19 | # Search user bind dn |
| 20 | bind_dn = "cn=admin,dc=grafana,dc=org" |
| 21 | # Search user bind password |
| 22 | # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" |
| 23 | bind_password = 'grafana' |
| 24 | |
| 25 | # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" |
| 26 | search_filter = "(cn=%s)" |
| 27 | |
| 28 | # An array of base dns to search through |
| 29 | search_base_dns = ["dc=grafana,dc=org"] |
| 30 | |
| 31 | # In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups. |
| 32 | # This is done by enabling group_search_filter below. You must also set member_of= "cn" |
| 33 | # in [servers.attributes] below. |
| 34 | |
| 35 | # Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN |
| 36 | # can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of |
| 37 | # below in such a way that the user's recursive group membership is considered. |
| 38 | # |
| 39 | # Nested Groups + Active Directory (AD) Example: |
| 40 | # |
| 41 | # AD groups store the Distinguished Names (DNs) of members, so your filter must |
| 42 | # recursively search your groups for the authenticating user's DN. For example: |
| 43 | # |
| 44 | # group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)" |
| 45 | # group_search_filter_user_attribute = "distinguishedName" |
| 46 | # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"] |
| 47 | # |
| 48 | # [servers.attributes] |
| 49 | # ... |
| 50 | # member_of = "distinguishedName" |
| 51 | |
| 52 | ## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available) |
| 53 | # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" |
| 54 | ## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter. |
| 55 | ## Defaults to the value of username in [server.attributes] |
| 56 | ## Valid options are any of your values in [servers.attributes] |
| 57 | ## If you are using nested groups you probably want to set this and member_of in |
| 58 | ## [servers.attributes] to "distinguishedName" |
| 59 | # group_search_filter_user_attribute = "distinguishedName" |
| 60 | ## An array of the base DNs to search through for groups. Typically uses ou=groups |
| 61 | # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"] |
| 62 | |
| 63 | # Specify names of the ldap attributes your ldap uses |
| 64 | [servers.attributes] |
| 65 | name = "givenName" |
| 66 | surname = "sn" |
| 67 | username = "cn" |
| 68 | member_of = "memberOf" |
| 69 | email = "email" |
| 70 | |
| 71 | # Map ldap groups to grafana org roles |
| 72 | [[servers.group_mappings]] |
| 73 | group_dn = "cn=admins,dc=grafana,dc=org" |
| 74 | org_role = "Admin" |
| 75 | # The Grafana organization database id, optional, if left out the default org (id 1) will be used |
| 76 | # org_id = 1 |
| 77 | |
| 78 | [[servers.group_mappings]] |
| 79 | group_dn = "cn=users,dc=grafana,dc=org" |
| 80 | org_role = "Editor" |
| 81 | |
| 82 | [[servers.group_mappings]] |
| 83 | # If you want to match all (or no ldap groups) then you can use wildcard |
| 84 | group_dn = "*" |
| 85 | org_role = "Viewer" |
| 86 | |