Grafana offers the possibility to authenticate users against LDAP – make it quite easy to integrate the tool into existing directory services. I’m using FreeIPA as directory and authentication service in my lab and had to adjust some settings to authenticate Grafana access.
The first step is to alter the main configuration file of Grafana (/etc/grafana/grafana.ini) to enable the LDAP module and the appropriate configuration:
[auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml
That’s a good time to disable registering new users using the web form:
[users] allow_sign_up = false allow_org_create = false
In the FreeIPA backend, I created two groups for Grafana:
We will talk Grafana roles in a second. I altered the Grafana LDAPconfiguration file (/etc/grafana/ldap.toml) like this:
[[servers]] host = "dict.test.loc" port = 636 use_ssl = true ssl_skip_verify = true root_ca_cert = /etc/ipa/ca.crt # Search user bind dn bind_dn = "uid=svc-bigbrother,cn=users,cn=accounts,dc=test,dc=loc" bind_password = '...' ... # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" search_filter = "(uid=%s)" # An array of base dns to search through search_base_dns = ["cn=users,cn=accounts,dc=test,dc=loc"] ... ## An array of the base DNs to search through for groups. Typically uses ou=groups group_search_base_dns = ["cn=groups,cn=accounts,dc=test,dc=loc"] # Specify names of the ldap attributes your ldap uses [servers.attributes] name = "givenName" surname = "sn" username = "uid" member_of = "memberOf" email = "mail"
If Grafana is executed on a system that is already registered to FreeIPA, the appropriate SSL certificate is already stored at /etc/ipa/ca.cert. If this is not the case for your system, you will need to copy the certificate to this location. If you don’t want to use any encryption, alter the variables port and use_ssl.
The attributes username and email need to be changed in order to match the FreeIPA schema.
The next step is to map the particular Grafana roles to appropriate LDAP groups. Grafana supports three different roles:
- Admin – full permissions, also data source administration
- Editor – using, creating and altering dashboards
- Viewer – using dashboards
I decided to map the Admin and Editor roles to dedicated groups and enable using dashboards to every authenticated user. In the configuration file, this implementation looks like this:
# Administrators [[servers.group_mappings]] group_dn = "cn=grafana-admins,cn=groups,cn=accounts,dc=test,dc=loc" org_role = "Admin" # Editors [[servers.group_mappings]] group_dn = "cn=grafana-editors,cn=groups,cn=accounts,dc=test,dc=loc" org_role = "Editor" # Read-only for any authenticated user [[servers.group_mappings]] group_dn = "*" org_role = "Viewer"