[grafana] Working grafana with LDAP groups

d51db756 · me5na7qbjqbrp · fe206181 · d51db756 · d51db756 · d51db756
Verified Commit d51db756 authored 5 years ago by me5na7qbjqbrp
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
 $ANSIBLE_VAULT;1.1;AES256
-35323634643434386162333935333434356266646165373339343861383330313237306433326638
-3137623039383732663764613030313235653638636333300a313838633264323436316663653162
-31343864326565393261643230326564386237666563323066363332613065643831656339613164
-3263313530363663350a663038303331656337636534343939633933636435633933373139353364
-33663832333761343037663361373334356464643139323033353839313033306465353238323334
-32326338366133313836393730633930626261363135636262333932313737303839636438636265
-30366634373562643334666336666262383336343334376364663534303964313831653131353139
-31643162343965363164636465323866373235633139333239646134666535323531653637316230
-61643432303134643761393562373662646538363635613566383630373361323663343639666430
-32626663363534393063336166653865383964316165653032323134646637346664373661323665
-65386538343664653164363236633062616339393663633437376539353139333937616537616436
-38613338613965313662623832393362633032313539376536636363636366666238333239623532
-65376538386565373564383839326133333464376261333230323663333033323939336535623133
-31643164353534653537666361346531306261376234323065643364623737323433323435386438
-38623739313964303664393532316566313932396462303433323861303931663261336464366463
-36316465356330643666613637623335663535323635373730623237383631666366626335323932
-66386362623737316535663738313163333066633662353635666537646666383139303134623462
-39306366306136303138333936373634383436336565386631376531346335303034646233646639
-63356663343462393635373939633936356530303663663964623564646461306137643932653934
-34316630646439356464303661666134393036303339353635663736396535653064386636323832
-36383330663132633839663633653937663264653062303235366664666163376635623130323531
-39633235623038373464333130373364333937386638323935316339346361616463663861303764
-33656565386464316131626234306464396664666363646138633866313865323231346634653163
-36656266333436336464633361613433626661633434613461363238616133363165316662656462
-66626135316135613366633833646639323061313838393035303064613336306435623261343261
-30393539376430346333666639653736333330613566343038646262666263366338383330336333
-613538656663623631363161633631363239
+31333537633064326436386262343965626135306366386437666635613839333364336366356535
+3862663966643462663662616166656366366266326539380a303932616262336461653832363163
+31393964376632623462333964666533333639393631393865343062393135653937663063616135
+3763666336383136300a636662616534323639623663303730653230323330343366616235393239
+37666335393532623732336135633331306136323766323866313138643830386461303839623234
+37623031346638323061346666396632663036643964666130633131393632306165646438633030
+62383064643963643539353039373131336333343230663863653433653466643734313566383566
+66653664303031626562366430623336613363343130373063313463386631616235316663613664
+63353836626231376230356237313036373934663563326131613866323932663464633133316565
+64376261313435306265336666326264663933333138346437343063313932626633306533303135
+64336531313864656234396232373437626132333932336337643562313730323865343433326138
+39376438363132396439656532616161376639363663636264646366646530663139666334343637
+66313161363661623636336165356139333966396138336465643264323261363236353631316562
+36343135393062336633626439666332653462343438656566323236616131653463333738396530
+61633439663661386635373437343564303231363862356439343839393037393961643866666130
+37646435373966373662666263333561326365333530373333373633653539643334323762393533
+63393537643138376465623230613530393235616566663534333033643430643263323464616133
+38626333306263313139396635323732646561366334313639366162656435393230333664646330
+33333137373538666136643363636366333730313033356561366564383563393837396266306264
+33383966663132376235333037653861353265346338396633376363393062633033653065343539
+36663561393365623336653036633039316235396134303137353565653365613831333364663961
+33336134666662336162386635393432346138313137386561373731393033323733663663373639
+32656636646361303833313835323032356633333861636533333061646461366632633037333863
+64353638613236363063363136393338646361303066333837356664333834336465343565633461
+30316164333133306166366534643962303766626663326366376234376138353837353263646437
+32643734343530643035393938643663633537323134316263666362333564303234316535383936
+39633237643061656230633837356230323263343265643162323536633432633936633330323830
+32663932313431353837356139306631376466633861313663376237336438366637333862366134
+61303136643536363535376262346639346361366161323934336230633861376433366138343937
+3366396137633132316239623437633131323765383239653031
--- a/monitoring.yml
+++ b/monitoring.yml
@@ -10,6 +10,7 @@
          - localhost:9100
          - vulcain.adm.crans.org:9100
          - odlyd.adm.crans.org:9100
+          - fy.adm.crans.org:9100
      - labels:
          job: prometheus
        targets:
@@ -24,5 +25,12 @@

 # Deploy grafana
 - hosts: fy.adm.crans.org
+  vars:
+    grafana_root_url: https://grafana.crans.org
+    ldap_base: 'dc=crans,dc=org'
+    ldap_master_ipv4: '10.231.136.19'
+    ldap_user_tree: "cn=Utilisateurs,{{ ldap_base }}"
+    ldap_grafana_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}"
+    ldap_grafana_passwd: "{{ vault_ldap_grafana_passwd }}"
  roles:
    - grafana
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -41,7 +41,7 @@
  loop:
    - section: server
      option: root_url
-      value: https://grafana.crans.org  # TODO put var in playbook
+      value: "{{ grafana_root_url }}"
    - section: session  # This will break with HTTPS
      option: cookie_secure
      value: "true"
@@ -63,21 +63,18 @@
    - section: auth.ldap
      option: enabled
      value: "true"
-    - section: auth.ldap  # We don't want registration
-      option: allow_sign_up
-      value: "false"
  notify: Restart grafana

-#- name: Configure Grafana LDAP
-#  lineinfile:
-#    # TODO
-#  loop:
-#    # TODO
-#  notify: Restart grafana
+- name: Configure Grafana LDAP
+  template:
+    src: ldap.toml.j2
+    dest: /etc/grafana/ldap.toml
+    mode: 0640
+  notify: Restart grafana

-#- name: Enable and start Grafana
-#  systemd:
-#    name: grafana-server
-#    enabled: true
-#    state: started
-#    daemon_reload: true
+- name: Enable and start Grafana
+  systemd:
+    name: grafana-server
+    enabled: true
+    state: started
+    daemon_reload: true
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
+# {{ ansible_managed }}
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
+# [log]
+# filters = ldap:debug
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "{{ ldap_master_ipv4 }}"
+# Default port is 389 or 636 if use_ssl = true
+port = 389
+# Set to true if ldap server supports TLS
+use_ssl = false
+# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
+start_tls = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = "/path/to/certificate.crt"
+# Authentication against LDAP servers requiring client certificates
+# client_cert = "/path/to/client.crt"
+# client_key = "/path/to/client.key"
+
+# Search user bind dn
+bind_dn = "{{ ldap_grafana_bind_dn }}"
+# Search user bind password
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+bind_password = '{{ ldap_grafana_passwd }}'
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+search_filter = "(cn=%s)"
+
+# An array of base dns to search through
+search_base_dns = ["{{ ldap_user_tree }}"]
+
+## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
+## Please check grafana LDAP docs for examples
+group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+group_search_base_dns = ["ou=posix,ou=groups,{{ ldap_base }}"]
+group_search_filter_user_attribute = "cn"
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "sn"
+surname = ""
+username = "cn"
+member_of = "dn"
+email =  "mail"
+
+# Map ldap groups to grafana org roles
+[[servers.group_mappings]]
+group_dn = "cn=nounou,ou=posix,ou=groups,dc=crans,dc=org"
+org_role = "Admin"
+# To make user an instance admin  (Grafana Admin) uncomment line below
+grafana_admin = true
+# The Grafana organization database id, optional, if left out the default org (id 1) will be used
+# org_id = 1
+
+[[servers.group_mappings]]
+group_dn = "cn=apprenti,ou=posix,ou=groups,dc=crans,dc=org"
+org_role = "Editor"
+
+[[servers.group_mappings]]
+# If you want to match all (or no ldap groups) then you can use wildcard
+group_dn = "*"
+org_role = "Viewer"