diff --git a/plays/monitoring.yml b/plays/monitoring.yml
index 114b0bdf1a6398ca644258afdd4bf309c1e7e295..167561e818fed7ed50d04da64826b791f49068f8 100755
--- a/plays/monitoring.yml
+++ b/plays/monitoring.yml
@@ -25,12 +25,10 @@
grafana:
root_url: https://grafana.crans.org
- ldap_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}"
- ldap_passwd: "{{ vault_ldap_grafana_passwd }}"
ldap_base: 'dc=crans,dc=org'
ldap_master_ipv4: '172.16.10.1'
- ldap_user_tree: "ou=users,{{ ldap_base }}"
+ ldap_user_tree: "ou=passwd,{{ ldap_base }}"
roles:
- prometheus
- prometheus-alertmanager
diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2
index 1fd96e129084e8fa63dbbe7f061a042f585a32a0..1834a5839d9b9dca2fc6913c02b227d3c389d15f 100644
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@@ -7,9 +7,9 @@
# Ldap server host (specify multiple hosts space separated)
host = "{{ ldap_master_ipv4 }}"
# Default port is 389 or 636 if use_ssl = true
-port = 389
+port = 636
# Set to true if ldap server supports TLS
-use_ssl = false
+use_ssl = true
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
@@ -46,20 +46,7 @@ username = "cn"
member_of = "dn"
email = "mail"
-# Map ldap groups to grafana org roles
+# All LDAP members can edit
[[servers.group_mappings]]
-group_dn = "cn=nounou,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Admin"
-# To make user an instance admin (Grafana Admin) uncomment line below
-# grafana_admin = true
-# The Grafana organization database id, optional, if left out the default org (id 1) will be used
-# org_id = 1
-
-[[servers.group_mappings]]
-group_dn = "cn=apprenti,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Editor"
-
-[[servers.group_mappings]]
-# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
-org_role = "Viewer"
+org_role = "Editor"