Grafana LDAP authentication with FreeIPA

calendar Oct 24, 2016 · 2 min read · freeipa grafana red-hat-identity-management  ·
Share on: linkedin copy

Grafana offers the possibility to authenticate users against LDAP - make it quite easy to integrate the tool into existing directory services. I'm using FreeIPA as directory and authentication service in my lab and had to adjust some settings to authenticate Grafana access.

The first step is to alter the main configuration file of Grafana (/etc/grafana/grafana.ini) to enable the LDAP module and the appropriate configuration:

1[auth.ldap]
2enabled = true
3config_file = /etc/grafana/ldap.toml

That's a good time to disable registering new users using the web form:

1[users]
2allow_sign_up = false
3allow_org_create = false

In the FreeIPA backend, I created two groups for Grafana:

  • grafana-admins
  • grafana-editors

We will talk Grafana roles in a second. I altered the Grafana LDAPconfiguration file (/etc/grafana/ldap.toml) like this:

 1[[servers]]
 2host = "dict.test.loc"
 3port = 636
 4use_ssl = true
 5ssl_skip_verify = true
 6root_ca_cert = /etc/ipa/ca.crt
 7
 8# Search user bind dn
 9bind_dn = "uid=svc-bigbrother,cn=users,cn=accounts,dc=test,dc=loc"
10bind_password = '...'
11...
12# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
13search_filter = "(uid=%s)"
14
15# An array of base dns to search through
16search_base_dns = ["cn=users,cn=accounts,dc=test,dc=loc"]
17...
18## An array of the base DNs to search through for groups. Typically uses ou=groups
19group_search_base_dns = ["cn=groups,cn=accounts,dc=test,dc=loc"]
20
21# Specify names of the ldap attributes your ldap uses
22[servers.attributes]
23name = "givenName"
24surname = "sn"
25username = "uid"
26member_of = "memberOf"
27email =  "mail"

Grafana

If Grafana is executed on a system that is already registered to FreeIPA, the appropriate SSL certificate is already stored at /etc/ipa/ca.cert. If this is not the case for your system, you will need to copy the certificate to this location. If you don't want to use any encryption, alter the variables port and use_ssl.

The attributes username and email need to be changed in order to match the FreeIPA schema.

The next step is to map the particular Grafana roles to appropriate LDAP groups. Grafana supports three different roles:

  • Admin - full permissions, also data source administration
  • Editor - using, creating and altering dashboards
  • Viewer - using dashboards

I decided to map the Admin and Editor roles to dedicated groups and enable using dashboards to every authenticated user. In the configuration file, this implementation looks like this:

 1# Administrators
 2[[servers.group_mappings]]
 3group_dn = "cn=grafana-admins,cn=groups,cn=accounts,dc=test,dc=loc"
 4org_role = "Admin"
 5
 6# Editors
 7[[servers.group_mappings]]
 8group_dn = "cn=grafana-editors,cn=groups,cn=accounts,dc=test,dc=loc"
 9org_role = "Editor"
10
11# Read-only for any authenticated user
12[[servers.group_mappings]]
13group_dn = "*"
14org_role = "Viewer"

Translations: