diff --git a/plays/monitoring.yml b/plays/monitoring.yml
index 114b0bdf1a6398ca644258afdd4bf309c1e7e295..167561e818fed7ed50d04da64826b791f49068f8 100755
--- a/plays/monitoring.yml
+++ b/plays/monitoring.yml
@@ -25,12 +25,10 @@
 
     grafana:
       root_url: https://grafana.crans.org
-      ldap_bind_dn: "cn=grafana,ou=service-users,{{ ldap_base }}"
-      ldap_passwd: "{{ vault_ldap_grafana_passwd }}"
 
     ldap_base: 'dc=crans,dc=org'
     ldap_master_ipv4: '172.16.10.1'
-    ldap_user_tree: "ou=users,{{ ldap_base }}"
+    ldap_user_tree: "ou=passwd,{{ ldap_base }}"
   roles:
     - prometheus
     - prometheus-alertmanager
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
index 0ec974c39f230f2b199a5e8154d506b9b735b539..1d928719424dbb9de52a62de71ae8a4858e301a6 100644
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -33,12 +33,18 @@
     - section: server
       option: root_url
       value: "{{ grafana.root_url }}"
-    - section: session  # This will break with HTTPS
-      option: cookie_secure
-      value: "true"
     - section: analytics
       option: reporting_enabled
       value: "false"
+    - section: analytics
+      option: check_for_updates
+      value: "false"
+    - section: security
+      option: disable_initial_admin_creation
+      value: "true"
+    - section: security
+      option: cookie_secure
+      value: "true"
     - section: snapshots
       option: external_enabled
       value: "false"
@@ -48,6 +54,12 @@
     - section: users
       option: allow_org_create
       value: "false"
+    - section: auth.anonymous
+      option: enabled
+      value: "true"
+    - section: auth.anonymous
+      option: hide_version
+      value: "true"
     - section: auth.basic  # Only LDAP auth
       option: enabled
       value: "false"
diff --git a/roles/grafana/templates/ldap.toml.j2 b/roles/grafana/templates/ldap.toml.j2
index 1fd96e129084e8fa63dbbe7f061a042f585a32a0..c918707aac8cabe5ecfd2b22128dd94867a7e9f4 100644
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@@ -7,13 +7,13 @@
 # Ldap server host (specify multiple hosts space separated)
 host = "{{ ldap_master_ipv4 }}"
 # Default port is 389 or 636 if use_ssl = true
-port = 389
+port = 636
 # Set to true if ldap server supports TLS
-use_ssl = false
+use_ssl = true
 # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
 start_tls = false
 # set to true if you want to skip ssl cert validation
-ssl_skip_verify = false
+ssl_skip_verify = true
 # set to the path to your root CA certificate or leave unset to use system defaults
 # root_ca_cert = "/path/to/certificate.crt"
 # Authentication against LDAP servers requiring client certificates
@@ -21,13 +21,13 @@ ssl_skip_verify = false
 # client_key = "/path/to/client.key"
 
 # Search user bind dn
-bind_dn = "{{ grafana.ldap_bind_dn }}"
+bind_dn = "uid=%s,{{ ldap_user_tree }}"
 # Search user bind password
 # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = '{{ grafana.ldap_passwd }}'
+#bind_password = ''
 
 # User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
-search_filter = "(cn=%s)"
+search_filter = "(uid=%s)"
 
 # An array of base dns to search through
 search_base_dns = ["{{ ldap_user_tree }}"]
@@ -35,31 +35,17 @@ search_base_dns = ["{{ ldap_user_tree }}"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-group_search_base_dns = ["ou=posix,ou=groups,{{ ldap_base }}"]
+group_search_base_dns = ["ou=group,{{ ldap_base }}"]
 group_search_filter_user_attribute = "cn"
 
 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
-name = "sn"
-surname = ""
-username = "cn"
-member_of = "dn"
+name = "givenName"
+surname = "sn"
+username = "uid"
 email =  "mail"
 
-# Map ldap groups to grafana org roles
+# All LDAP members can edit
 [[servers.group_mappings]]
-group_dn = "cn=nounou,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Admin"
-# To make user an instance admin  (Grafana Admin) uncomment line below
-# grafana_admin = true
-# The Grafana organization database id, optional, if left out the default org (id 1) will be used
-# org_id = 1
-
-[[servers.group_mappings]]
-group_dn = "cn=apprenti,ou=posix,ou=groups,dc=crans,dc=org"
-org_role = "Editor"
-
-[[servers.group_mappings]]
-# If you want to match all (or no ldap groups) then you can use wildcard
 group_dn = "*"
-org_role = "Viewer"
+org_role = "Editor"