Grafana LDAP
Configuring Grafana to work with Foxpass's LDAP server
Grafana is an open source platform for analytics visualizations and monitoring. It supports using LDAP as an authentication mechanism into its interface. General instructions for setting up LDAP can be found here:
http://docs.grafana.org/installation/ldap/
Detailed instructions on how to use Foxpass's LDAP with Grafana are below.
Create an LDAP Binder
Note your Base DN on the dashboard page and mark it down.
Create an LDAP Binder account with the name 'grafana' (or easily identifiable) on the LDAP binders page. Copy/paste the generated password! It is only displayed once.
Also make a note of the binder's CN (i.e. cn=grafana,dc=≪example≫,dc=≪com≫).
Configure Grafana
Now it's time to configure Grafana. By default, LDAP authentication is disabled. To enable it, add the following to 'grafana.ini':
...
[auth.ldap]
enabled = true
allow_sign_up = true
config_file = /etc/grafana/ldap.toml
...
In the example above, the 'allow_sign_up' variable is set to true, which allows Grafana to create new users if LDAP Authentication is successful. The 'config_file' variable is set to the path of the 'ldap.toml' file, which you can create now. After creating the 'ldap.tomi' file, fill it in with these values, inserting your own information where marked by the double arrows:
...
verbose_logging = true
[[servers]]
host = "ldap.foxpass.com"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false
bind_dn = "cn=grafana,dc=≪example≫,dc=≪com≫"
bind_password = '≪binder password≫'
search_filter = "(uid=%s)"
search_base_dns = ["dc=≪example≫,dc=≪com≫"]
[servers.attributes]
name = "gn"
surname = "sn"
username = "cn"
member_of = "memberOf"
email = "mail"
[[servers.group_mappings]]
group_dn = "cn=≪grafana-admins≫,ou=groups,dc=≪example≫,dc=≪com≫"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "cn=≪grafana-editors≫,ou=groups,dc=≪example≫,dc=≪com≫"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
...
Replace the 'bind_password' value with the binder password from the first step. Additionally, you can use Foxpass groups to grant certain Grafana permissions. In the example above, users in the 'grafana-admins' group in Foxpass are marked as Admins in Grafana, and users in the 'grafana-editors' group are marked as Editors. All other users not belonging to either group are marked as Viewers.
The official Grafana documentation contains a fully documented 'ldap.toml' example, as well: http://docs.grafana.org/installation/ldap/
After saving the 'ldap.toml' file, restart Grafana, and log in with your Foxpass credentials!
Grafana, Kubernetes, and Foxpass
If you want to run Grafana on Kubernetes and integrate it with Foxpass, Grafana Helm Chart provides an easy way to set it up.
Rename the 'ldap.toml' file from the earlier instructions to 'ldap-toml' as required by Grafana Helm Chart.
Then create an existing Kubernetes secret which contains the 'ldap-toml' file by running this command:
$ kubectl create secret generic grafana-ldap --from-file=./ldap-toml
LDAP integration is enabled via the 'grafana.ini' file. When using the Grafana Helm Chart, the contents of 'grafana.ini' are managed via the 'values.yaml' file.
Create the 'foxpass_values.yaml' file which will contain the LDAP configuration, and a reference to the Kubernetes secret which was created earlier:
grafana.ini:
auth.ldap:
enabled: true
allow_sign_up: true
config_file: /etc/grafana/ldap.toml
ldap:
existingSecret: "grafana-ldap"
When both the Kubernetes secret and Grafana Helm Chart values are created, install or upgrade Grafana with the 'helm' utility.
To create a new installation of Grafana Helm Chart, run the command:
helm install grafana stable/grafana -f foxpass_values.yaml
To upgrade an existing installation of Grafana Helm Chart, run the command:
$ helm upgrade --install grafana stable/grafana -f foxpass_values.yaml
After running the appropriate command, check the logs with 'kubectl':
$ kubectl get pod -l app=grafana
NAME READY STATUS RESTARTS AGE
grafana-569876bf4d-wghc8 1/1 Running 0 42m
$ kubectl logs -f grafana-569876bf4d-wghc8
t=2018-08-06T13:02:43+0000 lvl=info msg="Initializing Stream Manager"
t=2018-08-06T13:02:43+0000 lvl=info msg="Initializing HTTP Server" logger=http.server address=0.0.0.0:3000 protocol=http subUrl= socket=
When Grafana has started, use 'kubectl port-forward' command to validate if you're able to log in using your Foxpass credentials:
$ kubectl port-forward grafana-569876bf4d-wghc8 3000
Navigate to http://localhost:3000 and log in with your Foxpass credentials!
Troubleshooting
You can use the 'ldapsearch' CLI tool to validate your LDAP Binder credentials:
$ ldapsearch -x -H ldaps://ldap.foxpass.com -b dc=≪example≫,dc=≪com≫ -D cn=grafana,dc≪<example≫,dc=≪com≫ -W ≪binder password≫
Additionally, you can check the Foxpass LDAP Logs if you're experiencing issues while trying to log in.
Updated about 1 year ago