ansible-roles/library/roles/grafana/templates/ldap.toml.j2

86 lines
3.4 KiB
Django/Jinja

# Set to true to log user information returned from LDAP
verbose_logging = false
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "{{ grafana_ldap_host }}"
# Default port is 389 or 636 if use_ssl = true
port = {{ grafana_ldap_port }}
# Set to true if ldap server supports TLS
use_ssl = {{ grafana_ldap_use_ssl }}
# set to true if you want to skip ssl cert validation
ssl_skip_verify = {{ grafana_ldap_ssl_skip_verify }}
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = /path/to/certificate.crt
# Search user bind dn
bind_dn = "{{ grafana_ldap_bind_dn }}"
# Search user bind password
bind_password = '{{ grafana_ldap_bind_pwd }}'
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "{{ grafana_ldap_u_search_filter }}"
# An array of base dns to search through
search_base_dns = ["{{ grafana_ldap_u_search_base }}"]
# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
# This is done by enabling group_search_filter below. You must also set member_of= "cn"
# in [servers.attributes] below.
# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
# below in such a way that the user's recursive group membership is considered.
#
# Nested Groups + Active Directory (AD) Example:
#
# AD groups store the Distinguished Names (DNs) of members, so your filter must
# recursively search your groups for the authenticating user's DN. For example:
#
# group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
# group_search_filter_user_attribute = "distinguishedName"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
#
# [servers.attributes]
# ...
# member_of = "distinguishedName"
## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
{% if grafana_ldap_posix_groups %}
group_search_filter = "{{ grafana_ldap_g_search_filter }}"
## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
## Defaults to the value of username in [server.attributes]
## Valid options are any of your values in [servers.attributes]
## If you are using nested groups you probably want to set this and member_of in
## [servers.attributes] to "distinguishedName"
group_search_filter_user_attribute = "{{ grafana_ldap_g_search_filter_user_attr }}"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["{{ grafana_ldap_g_search_base }}"]
{% endif %}
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "{{ grafana_ldap_serverattrs_username }}"
{% if grafana_ldap_posix_groups %}
member_of = "cn"
{% else %}
member_of = "memberOf"
{% endif %}
email = "{{ grafana_ldap_u_email }}"
# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "{{ grafana_ldap_admin_role_group }}"
org_role = "Admin"
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1
{% for map in grafana_ldap_group_roles %}
[[servers.group_mappings]]
group_dn = "{{ map.dn }}"
org_role = "{{ map.role }}"
{% endfor %}