Grafana LDAP

Configuring Grafana to work with Foxpass's LDAP server

Grafana is an open source platform for analytics visualizations and monitoring. It supports using LDAP as an authentication mechanism into its interface. General instructions for setting up LDAP can be found here:
http://docs.grafana.org/installation/ldap/

Detailed instructions on how to use Foxpass's LDAP with Grafana are below.

Create an LDAP Binder

Note your Base DN on the dashboard page and mark it down.

Create an LDAP Binder account with the name 'grafana' (or easily identifiable) on the LDAP binders page. Copy/paste the generated password! It is only displayed once.

Also make a note of the binder's CN (i.e. cn=grafana,dc=≪example≫,dc=≪com≫).

Configure Grafana

Now it's time to configure Grafana. By default, LDAP authentication is disabled. To enable it, add the following to 'grafana.ini':

...
[auth.ldap]

enabled = true

allow_sign_up = true

config_file = /etc/grafana/ldap.toml
...

In the example above, the 'allow_sign_up' variable is set to true, which allows Grafana to create new users if LDAP Authentication is successful. The 'config_file' variable is set to the path of the 'ldap.toml' file, which you can create now. After creating the 'ldap.tomi' file, fill it in with these values, inserting your own information where marked by the double arrows:

...
verbose_logging = true

[[servers]]

host = "ldap.foxpass.com"

port = 636

use_ssl = true

start_tls = false

ssl_skip_verify = false

bind_dn = "cn=grafana,dc=≪example≫,dc=≪com≫"

bind_password = '≪binder password≫'

search_filter = "(uid=%s)"

search_base_dns = ["dc=≪example≫,dc=≪com≫"]

[servers.attributes]

name = "gn"

surname = "sn"

username = "cn"

member_of = "memberOf"

email = "mail"

[[servers.group_mappings]]

group_dn = "cn=≪grafana-admins≫,ou=groups,dc=≪example≫,dc=≪com≫"

org_role = "Admin"

[[servers.group_mappings]]

group_dn = "cn=≪grafana-editors≫,ou=groups,dc=≪example≫,dc=≪com≫"

org_role = "Editor"

[[servers.group_mappings]]

group_dn = "*"

org_role = "Viewer"
...

Replace the 'bind_password' value with the binder password from the first step. Additionally, you can use Foxpass groups to grant certain Grafana permissions. In the example above, users in the 'grafana-admins' group in Foxpass are marked as Admins in Grafana, and users in the 'grafana-editors' group are marked as Editors. All other users not belonging to either group are marked as Viewers.

The official Grafana documentation contains a fully documented 'ldap.toml' example, as well: http://docs.grafana.org/installation/ldap/

After saving the 'ldap.toml' file, restart Grafana, and log in with your Foxpass credentials!

Grafana, Kubernetes, and Foxpass

If you want to run Grafana on Kubernetes and integrate it with Foxpass, Grafana Helm Chart provides an easy way to set it up.

Rename the 'ldap.toml' file from the earlier instructions to 'ldap-toml' as required by Grafana Helm Chart.

Then create an existing Kubernetes secret which contains the 'ldap-toml' file by running this command:

$ kubectl create secret generic grafana-ldap --from-file=./ldap-toml

LDAP integration is enabled via the 'grafana.ini' file. When using the Grafana Helm Chart, the contents of 'grafana.ini' are managed via the 'values.yaml' file.

Create the 'foxpass_values.yaml' file which will contain the LDAP configuration, and a reference to the Kubernetes secret which was created earlier:

grafana.ini:

auth.ldap:

enabled: true

allow_sign_up: true

config_file: /etc/grafana/ldap.toml

ldap:

existingSecret: "grafana-ldap"

When both the Kubernetes secret and Grafana Helm Chart values are created, install or upgrade Grafana with the 'helm' utility.

To create a new installation of Grafana Helm Chart, run the command:

helm install grafana stable/grafana -f foxpass_values.yaml

To upgrade an existing installation of Grafana Helm Chart, run the command:

$ helm upgrade --install grafana stable/grafana -f foxpass_values.yaml

After running the appropriate command, check the logs with 'kubectl':

$ kubectl get pod -l app=grafana

NAME READY STATUS RESTARTS AGE

grafana-569876bf4d-wghc8 1/1 Running 0 42m

$ kubectl logs -f grafana-569876bf4d-wghc8

t=2018-08-06T13:02:43+0000 lvl=info msg="Initializing Stream Manager"

t=2018-08-06T13:02:43+0000 lvl=info msg="Initializing HTTP Server" logger=http.server address=0.0.0.0:3000 protocol=http subUrl= socket=

When Grafana has started, use 'kubectl port-forward' command to validate if you're able to log in using your Foxpass credentials:

$ kubectl port-forward grafana-569876bf4d-wghc8 3000

Navigate to http://localhost:3000 and log in with your Foxpass credentials!

Troubleshooting

You can use the 'ldapsearch' CLI tool to validate your LDAP Binder credentials:

$ ldapsearch -x -H ldaps://ldap.foxpass.com -b dc=≪example≫,dc=≪com≫ -D cn=grafana,dc≪<example≫,dc=≪com≫ -W ≪binder password≫

Additionally, you can check the Foxpass LDAP Logs if you're experiencing issues while trying to log in.