Grafana接入LDAP

 ldap
 

Grafana接入LDAP

1 配置grafana

1.1 LDAP增加两个组,一个是Admin,一个是Users,分别是管理员和普通用户,作为权限管理,并给其增加成功

image2018-7-12_19-20-18

1.2 配置/etc/grafana/ldap.toml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
[dev] [root@oneops grafana]# cat /etc/grafana/ldap.toml


[[servers]]
verbose_logging = true
host = ""
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false

#LDAP管理用户和密码
bind_dn = "cn=****,dc=oneops,dc=com"
bind_password = '*****'

search_filter = "(cn=%s)"

search_base_dns = ["ou=People,dc=oneops,dc=com"]


group_search_base_dns = ["ou=Group,dc=oneops,dc=com"]

#注意:这里的memberOf需要ldap兼容,配置映射一一对应
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email = "mail"

#ldap用户组成员和本地组对应
[[servers.group_mappings]]
group_dn = "cn=Admin,ou=Group,dc=oneops,dc=com"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "cn=Users,ou=Group,dc=oneops,dc=com"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

1.3 配置/etc/grafana/grafana.ini
开启ldap认证

1
[auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml

注意,如果需要查看ldap登录日志,当ldap接入报错的时候,可以开启日志调试模式:
image2018-7-12_19-17-15

2 重启grafana服务生效

1
systemctl restart grafana-server