Change Grafana LDAP configuration

plays/monitoring.yml

@@ -25,12 +25,10 @@
 
     grafana:
       root_url: https://grafana.crans.org
-      ldap_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}"
-      ldap_passwd: "{{ vault_ldap_grafana_passwd }}"
 
     ldap_base: 'dc=crans,dc=org'
     ldap_master_ipv4: '172.16.10.1'
-    ldap_user_tree: "ou=users,{{ ldap_base }}"
+    ldap_user_tree: "ou=passwd,{{ ldap_base }}"
   roles:
     - prometheus
     - prometheus-alertmanager

roles/grafana/templates/ldap.toml.j2

@@ -7,9 +7,9 @@
 # Ldap server host (specify multiple hosts space separated)
 host = "{{ ldap_master_ipv4 }}"
 # Default port is 389 or 636 if use_ssl = true
-port = 389
+port = 636
 # Set to true if ldap server supports TLS
-use_ssl = false
+use_ssl = true
 # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
 start_tls = false
 # set to true if you want to skip ssl cert validation
@@ -46,20 +46,7 @@ username = "cn"
 member_of = "dn"
 email =  "mail"
 
-# Map ldap groups to grafana org roles
+# All LDAP members can edit
 [[servers.group_mappings]]
-group_dn = "cn=nounou,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Admin"
-# To make user an instance admin  (Grafana Admin) uncomment line below
-# grafana_admin = true
-# The Grafana organization database id, optional, if left out the default org (id 1) will be used
-# org_id = 1
-
-[[servers.group_mappings]]
-group_dn = "cn=apprenti,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Editor"
-
-[[servers.group_mappings]]
-# If you want to match all (or no ldap groups) then you can use wildcard
 group_dn = "*"
-org_role = "Viewer"
+org_role = "Editor"