Grafana LDAP authentication with FreeIPA

Grafana offers the possibility to authenticate users against LDAP – make it quite easy to integrate the tool into existing directory services. I’m using FreeIPA as directory and authentication service in my lab and had to adjust some settings to authenticate Grafana access.

The first step is to alter the main configuration file of Grafana (/etc/grafana/grafana.ini) to enable the LDAP module and the appropriate configuration:

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml

That’s a good time to disable registering new users using the web form:

[users]
allow_sign_up = false
allow_org_create = false

In the FreeIPA backend, I created two groups for Grafana:

  • grafana-admins
  • grafana-editors

We will talk Grafana roles in a second. I altered the Grafana LDAPconfiguration file (/etc/grafana/ldap.toml) like this:

[[servers]]
host = "dict.test.loc"
port = 636
use_ssl = true
ssl_skip_verify = true
root_ca_cert = /etc/ipa/ca.crt

# Search user bind dn
bind_dn = "uid=svc-bigbrother,cn=users,cn=accounts,dc=test,dc=loc"
bind_password = '...'
...
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(uid=%s)"

# An array of base dns to search through
search_base_dns = ["cn=users,cn=accounts,dc=test,dc=loc"]
...
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["cn=groups,cn=accounts,dc=test,dc=loc"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "memberOf"
email =  "mail"
Grafana

Grafana

If Grafana is executed on a system that is already registered to FreeIPA, the appropriate SSL certificate is already stored at /etc/ipa/ca.cert. If this is not the case for your system, you will need to copy the certificate to this location. If you don’t want to use any encryption, alter the variables port and use_ssl.

The attributes username and email need to be changed in order to match the FreeIPA schema.

The next step is to map the particular Grafana roles to appropriate LDAP groups. Grafana supports three different roles:

  • Admin – full permissions, also data source administration
  • Editor – using, creating and altering dashboards
  • Viewer – using dashboards

I decided to map the Admin and Editor roles to dedicated groups and enable using dashboards to every authenticated user. In the configuration file, this implementation looks like this:

# Administrators
[[servers.group_mappings]]
group_dn = "cn=grafana-admins,cn=groups,cn=accounts,dc=test,dc=loc"
org_role = "Admin"

# Editors
[[servers.group_mappings]]
group_dn = "cn=grafana-editors,cn=groups,cn=accounts,dc=test,dc=loc"
org_role = "Editor"

# Read-only for any authenticated user
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

Sharing is caring

Leave a Reply