Grafana LDAP authentication with FreeIPA
Grafana offers the possibility to authenticate users against LDAP - make it quite easy to integrate the tool into existing directory services. I'm using FreeIPA as directory and authentication service in my lab and had to adjust some settings to authenticate Grafana access.
The first step is to alter the main configuration file of Grafana (/etc/grafana/grafana.ini
) to enable the LDAP module and the appropriate configuration:
1[auth.ldap]
2enabled = true
3config_file = /etc/grafana/ldap.toml
That's a good time to disable registering new users using the web form:
1[users]
2allow_sign_up = false
3allow_org_create = false
In the FreeIPA backend, I created two groups for Grafana:
grafana-admins
grafana-editors
We will talk Grafana roles in a second. I altered the Grafana LDAPconfiguration file (/etc/grafana/ldap.toml
) like this:
1[[servers]]
2host = "dict.test.loc"
3port = 636
4use_ssl = true
5ssl_skip_verify = true
6root_ca_cert = /etc/ipa/ca.crt
7
8# Search user bind dn
9bind_dn = "uid=svc-bigbrother,cn=users,cn=accounts,dc=test,dc=loc"
10bind_password = '...'
11...
12# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
13search_filter = "(uid=%s)"
14
15# An array of base dns to search through
16search_base_dns = ["cn=users,cn=accounts,dc=test,dc=loc"]
17...
18## An array of the base DNs to search through for groups. Typically uses ou=groups
19group_search_base_dns = ["cn=groups,cn=accounts,dc=test,dc=loc"]
20
21# Specify names of the ldap attributes your ldap uses
22[servers.attributes]
23name = "givenName"
24surname = "sn"
25username = "uid"
26member_of = "memberOf"
27email = "mail"
If Grafana is executed on a system that is already registered to FreeIPA, the appropriate SSL certificate is already stored at /etc/ipa/ca.cert
. If this is not the case for your system, you will need to copy the certificate to this location. If you don't want to use any encryption, alter the variables port
and use_ssl
.
The attributes username
and email
need to be changed in order to match the FreeIPA schema.
The next step is to map the particular Grafana roles to appropriate LDAP groups. Grafana supports three different roles:
- Admin - full permissions, also data source administration
- Editor - using, creating and altering dashboards
- Viewer - using dashboards
I decided to map the Admin and Editor roles to dedicated groups and enable using dashboards to every authenticated user. In the configuration file, this implementation looks like this:
1# Administrators
2[[servers.group_mappings]]
3group_dn = "cn=grafana-admins,cn=groups,cn=accounts,dc=test,dc=loc"
4org_role = "Admin"
5
6# Editors
7[[servers.group_mappings]]
8group_dn = "cn=grafana-editors,cn=groups,cn=accounts,dc=test,dc=loc"
9org_role = "Editor"
10
11# Read-only for any authenticated user
12[[servers.group_mappings]]
13group_dn = "*"
14org_role = "Viewer"