|
| 1 | +# To troubleshoot and get more log info enable ldap debug logging in grafana.ini |
| 2 | +# [log] |
| 3 | +# filters = ldap:debug |
| 4 | + |
| 5 | +[[servers]] |
| 6 | +# Ldap server host (specify multiple hosts space separated) |
| 7 | +host = "127.0.0.1" |
| 8 | +# Default port is 389 or 636 if use_ssl = true |
| 9 | +port = 389 |
| 10 | +# Set to true if ldap server supports TLS |
| 11 | +use_ssl = false |
| 12 | +# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS) |
| 13 | +start_tls = false |
| 14 | +# set to true if you want to skip ssl cert validation |
| 15 | +ssl_skip_verify = false |
| 16 | +# set to the path to your root CA certificate or leave unset to use system defaults |
| 17 | +# root_ca_cert = "/path/to/certificate.crt" |
| 18 | + |
| 19 | +# Search user bind dn |
| 20 | +bind_dn = "cn=admin,dc=grafana,dc=org" |
| 21 | +# Search user bind password |
| 22 | +# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" |
| 23 | +bind_password = 'grafana' |
| 24 | + |
| 25 | +# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" |
| 26 | +search_filter = "(cn=%s)" |
| 27 | + |
| 28 | +# An array of base dns to search through |
| 29 | +search_base_dns = ["dc=grafana,dc=org"] |
| 30 | + |
| 31 | +# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups. |
| 32 | +# This is done by enabling group_search_filter below. You must also set member_of= "cn" |
| 33 | +# in [servers.attributes] below. |
| 34 | + |
| 35 | +# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN |
| 36 | +# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of |
| 37 | +# below in such a way that the user's recursive group membership is considered. |
| 38 | +# |
| 39 | +# Nested Groups + Active Directory (AD) Example: |
| 40 | +# |
| 41 | +# AD groups store the Distinguished Names (DNs) of members, so your filter must |
| 42 | +# recursively search your groups for the authenticating user's DN. For example: |
| 43 | +# |
| 44 | +# group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)" |
| 45 | +# group_search_filter_user_attribute = "distinguishedName" |
| 46 | +# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"] |
| 47 | +# |
| 48 | +# [servers.attributes] |
| 49 | +# ... |
| 50 | +# member_of = "distinguishedName" |
| 51 | + |
| 52 | +## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available) |
| 53 | +# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" |
| 54 | +## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter. |
| 55 | +## Defaults to the value of username in [server.attributes] |
| 56 | +## Valid options are any of your values in [servers.attributes] |
| 57 | +## If you are using nested groups you probably want to set this and member_of in |
| 58 | +## [servers.attributes] to "distinguishedName" |
| 59 | +# group_search_filter_user_attribute = "distinguishedName" |
| 60 | +## An array of the base DNs to search through for groups. Typically uses ou=groups |
| 61 | +# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"] |
| 62 | + |
| 63 | +# Specify names of the ldap attributes your ldap uses |
| 64 | +[servers.attributes] |
| 65 | +name = "givenName" |
| 66 | +surname = "sn" |
| 67 | +username = "cn" |
| 68 | +member_of = "memberOf" |
| 69 | +email = "email" |
| 70 | + |
| 71 | +# Map ldap groups to grafana org roles |
| 72 | +[[servers.group_mappings]] |
| 73 | +group_dn = "cn=admins,ou=groups,dc=grafana,dc=org" |
| 74 | +org_role = "Admin" |
| 75 | +# The Grafana organization database id, optional, if left out the default org (id 1) will be used |
| 76 | +# org_id = 1 |
| 77 | + |
| 78 | +[[servers.group_mappings]] |
| 79 | +group_dn = "cn=editors,ou=groups,dc=grafana,dc=org" |
| 80 | +org_role = "Editor" |
| 81 | + |
| 82 | +[[servers.group_mappings]] |
| 83 | +# If you want to match all (or no ldap groups) then you can use wildcard |
| 84 | +group_dn = "*" |
| 85 | +org_role = "Viewer" |
0 commit comments