Grafana grafana LDAP

Grafana與LDAP帳號整合應用

Sakin大大 2019/07/09 17:41:49
302

 

簡介

Grafana來取得LDAP內帳號資訊,進行Grafanan帳號權限控管

引用:https://grafana.com/docs/auth/ldap/

環境

CentOs7 Server , Grafana , LDAP

 

注意:該文章必須要了解LDAP基礎配置

 

(步驟一)首先我們先來看看LDAP結構跟各區塊屬性配置

看圖說故事的概念講解給各位聽:

位於(地址c或表格) tw.edu.nttu.mp 的一間公司thinkpower ,該公司職位名稱PG的底下一名人員sakin

這樣在LDAP解釋上就是cn=sakin,ou=PG,ou=thinkpower,dc=mp,dc=nttu,dc=edu,dc=tw

 

(步驟二)首先要先了解Grafana的ini設定檔案位置/etc/grafana/grafana.ini,並修改以下內容開啟LDAP應用

#################################### Auth LDAP ##########################
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
#################################### Logging ##########################
[log]
# Either "console", "file", "syslog". Default is console and  file
# Use space to separate multiple modes, e.g. "console file"
;mode = console file

# Either "debug", "info", "warn", "error", "critical", default is "info"
level = debug

 

(步驟三)編輯/etc/grafana/ldap.toml

# Ldap server host (specify multiple hosts space separated)
host = "127.0.0.1"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=mp,dc=nttu,dc=edu,dc=tw"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = "3345678"

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)"

# An array of base dns to search through
search_base_dns = ["dc=mp,dc=nttu,dc=edu,dc=tw"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=person)(cn=%s))"
group_search_base_dns = ["ou=thinkpower,dc=mp,dc=nttu,dc=edu,dc=tw"]
#group_search_filter_user_attribute = "cn"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
#member_of = "memberOf"
member_of = "cn"
email =  "email"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "sakin"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
 grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "sakin"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "nika"
org_role = "Editor"

[[servers.group_mappings]]
#If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "yami"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"

 

我們逐行開始教學:

PT1~PT4:設定要連線LDAP位置

PT17~PT21:設定最大權限使用者是誰以及密碼為何,之後用於查詢用

%s:就是我們會在Grafana登入帳號所輸入的內容

PT23~PT32:設定要查詢的位置結構

PT30:查詢資訊所相對應的條件

PT34~PT41:帳號所需要顯示的資訊,根據LDAP對應內容

PT52~PT68:針對group_dn比對%s,所對應的資訊,給予相應權限

 

由以上內容我們給予了:

sakin這個人有最大權限、nika跟yami具有編輯權限,其他帳號則只有閱讀的權限

 

(步驟四)重新啟動Grafana,讓Grafana重新讀取ini檔案進行配置,並利用LDAP帳號登入Grafana介面

登入成功!!快點去開香檳!!

我們來看看帳號資訊部分

因Grafana的Users資訊必須先登入後才會註記,我們就來全部登入一遍

完工!!

 

 

 

 

 

 

Sakin大大
莫忘初衷、盡心盡力