Grafana接入LDAP
1 配置grafana
1.1 LDAP增加两个组,一个是Admin,一个是Users,分别是管理员和普通用户,作为权限管理,并给其增加成功
1.2 配置/etc/grafana/ldap.toml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
| [dev] [root@oneops grafana]# cat /etc/grafana/ldap.toml
[[servers]] verbose_logging = true host = "" port = 389 use_ssl = false start_tls = false ssl_skip_verify = false
#LDAP管理用户和密码 bind_dn = "cn=****,dc=oneops,dc=com" bind_password = '*****'
search_filter = "(cn=%s)"
search_base_dns = ["ou=People,dc=oneops,dc=com"]
group_search_base_dns = ["ou=Group,dc=oneops,dc=com"]
#注意:这里的memberOf需要ldap兼容,配置映射一一对应 [servers.attributes] name = "givenName" surname = "sn" username = "cn" member_of = "memberOf" email = "mail"
#ldap用户组成员和本地组对应 [[servers.group_mappings]] group_dn = "cn=Admin,ou=Group,dc=oneops,dc=com" org_role = "Admin"
[[servers.group_mappings]] group_dn = "cn=Users,ou=Group,dc=oneops,dc=com" org_role = "Editor"
[[servers.group_mappings]] group_dn = "*" org_role = "Viewer"
|
1.3 配置/etc/grafana/grafana.ini
开启ldap认证
1
| [auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml
|
注意,如果需要查看ldap登录日志,当ldap接入报错的时候,可以开启日志调试模式:
2 重启grafana服务生效
1
| systemctl restart grafana-server
|