Enabling LDAP authentication in Grafana

Print Friendly, PDF & Email

Well, Another post that will be short with the idea of using recommendations and best practices; Today it's time to remember that we shouldn't use local users, and so we get our hands on Grafana, and force logins from a central store such as our Active Directory or any LDAP.

Well, what I said, We must try to use local users in each service that we have in the organization, for many reasons, it is better to govern a central site of users than N spread out, where does God know when his password was changed last time, Complexity Policies… And of course, to delegate permissions, it will be better to give access to those who require it only to where they should, right?? Not to give permission to everything… And for this it is essential to support us (In this case) in an Active Directory.

Come, What's sucking! We start! The first thing will be to indicate to Grafana that we want to use LDAP, so in the Grafana configuration file '/etc/grafana/grafana.ini’ We enable it:

[auth.ldap]
enabled = true config_file = /etc/grafana/ldap.toml allow_sign_up = false

And now it's time to configure the configuration file for LDAP, we must indicate as always the FQDN of a domain controller, Ideally, you should always use the domain name, so it doesn't matter how many DCs we have that the DNS will balance the input; or if we migrate LDAP machines in the future we don't have to remember and come here to play. We indicate the port, whether we will use LDAP 389 o LDAPS 636 preferably. As well as a specific user with read privileges to validate authentications, and additionally we will be able to filter more, for example, from which OU the users will be or a group to which they must belong in order to access, and that have the viewer role by default:

host servers = "FQDN_LDAP"
port = 636
use_ssl = true start_tls = true ssl_skip_verify = false bind_dn = "cn=ldap_grafana,ou=OU2,ou=OU1,dc=domain,dc=local"
bind_password = 'XXXXXXXXXXXXXXXXXXX'
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["dc=domain,dc=local"]
group_search_base_dns = ["cn=Grafana Users,ou=OU2,ou=OU1,dc=domain,dc=local"]
[servers.attributes]
name = "givenName"
Surname = "Sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "email"
servers.group_mappings group_dn = "cn=Grafana Users,ou=OU2,ou=OU1,dc=domain,dc=local"
org_role = "Viewer"

And with this and a cake…. ¡We got him! We restart Grafana and try to validate ourselves and log in with an Active Directory user.

sudo systemctl restart grafana-server

Well, that's all for today 🙂 Send you a hug, Take care of yourselves, take care of your loved ones, May it go very well for you!

Recommended Posts

FortiGate metrics with Prometheus and Grafana
Read
Windows metrics with Prometheus and Grafana
Read
Ping metrics with Prometheus and Grafana
Read
Deploying Prometheus & Grafana
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

A Podcast for IT - New problems in the cloud?

30 of May de 2022

Enabling HTTPS in Grafana

3 June de 2022