From 830afd153182bb691243ce79def88b5c9b6f22e8 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 4 Apr 2022 17:26:15 +0200
Subject: [PATCH] [grafana] More power!

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/grafana.yml               |  4 ++++
 roles/grafana/templates/ldap.toml.j2 | 12 +++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/group_vars/grafana.yml b/group_vars/grafana.yml
index 254405df..9653f4a3 100644
--- a/group_vars/grafana.yml
+++ b/group_vars/grafana.yml
@@ -4,6 +4,10 @@ glob_grafana:
   ldap_base: "{{ glob_ldap.base }}"
   ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
   ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"
+  ldap_group_tree: "ou=group,{{ glob_ldap.base }}"
+  ldap_group_filter: "uid"
+  ldap_group_admin: "cn=_nounou,ou=group,{{ glob_ldap.base }}"
+  ldap_group_editor: "*"  # Everyone is editor
 
 logos:
   - which: crans_logo_white_small.svg
diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2
index c92a9330..7685d90f 100644
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@@ -31,8 +31,8 @@ search_base_dns = ["ou=passwd,dc=crans,dc=org"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"]
-group_search_filter_user_attribute = "cn"
+group_search_base_dns = ["{{ grafana.ldap_group_tree }}"]
+group_search_filter_user_attribute = "{{ grafana.ldap_group_filter }}"
 
 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
@@ -41,7 +41,13 @@ surname = "sn"
 username = "uid"
 email =  "mail"
 
+# Nounous can administrate
+[[servers.group_mappings]]
+group_dn = "{{ grafana.ldap_group_admin }}"
+org_role = "Admin"
+grafana_admin = true
+
 # All LDAP members can edit
 [[servers.group_mappings]]
-group_dn = "*"
+group_dn = "{{ grafana.ldap_group_editor }}"
 org_role = "Editor"
-- 
GitLab