在设置之前,必须弄懂ldap里面的几个名词
cn、ou、dc、dn(自行百度)
dn包含前三个,下面就是一个dn
(uid=mcc)cn=student,ou=chuanda,dc=chengdu,dc=sichuan,dc=china
作用等于 china/sichuan/chengdu/chuanda/mcc
就用ldap登录后的返回好了,看官一看便知!
[
{
DN: "uid=chenchen.ming,ou=Users,dc=test,dc=cn",
FirstName: "ming",
LastName: "ming",
Username: "chenchen.ming@qq.com",
Email: "chenchen.ming@qq.com",
MemberOf: {
"cn=confluence-users,ou=Groups,dc=test,dc=cn",
"cn=jira-software-users,ou=Groups,dc=test,dc=cn"
}
}
]1.启动一个grafana实例
docker run -i -p 13000:3000 grafana/grafana -d
2.设置ldap配置文件
进入docker,编辑ldap配置文件
root@b01a0d97c5af:/# apt-get update
root@b01a0d97c5af:/# apt-get install vim
root@b01a0d97c5af:/# vim /etc/grafana/ldap.toml
1.server.host、port修改为自己的ldap的地址
host = "ldap.mcc.cn"
port = 389
use_ssl = true
start_tls = true //这个之前false 会报错LDAP Result Code 200 "": EOF
ssl_skip_verify = true
#root_ca_cert = /path/to/certificate.crt //证书没设置2.设置读取的账户(需要可读权限)
注意这个
# Search user bind dn
bind_dn = "uid=chenchen.ming,ou=Users,dc=test,dc=cn" //这个找ldap负责人就可以拿到
# Search user bind password
bind_password = "Mcctest"3.设置grafana登录账户 = ldap mail
search_filter这个非常重要,决定了grafana的账号是ldap的uid还是mail还是其他
//search_filter = "(uid=%s)" //uid登录 chenchen.ming
search_filter = "(mail=%s)" //邮箱登录 chenchen.ming@qq.com
search_base_dns = ["ou=Users,dc=test,dc=cn"] 4.设置[servers.attributes]
貌似这个没什么影响,对登录来说…
[servers.attributes]
name = "givenName"
surname = "sn"
username = "mail" //这个
member_of = "memberOf"
email = "mail" //这个5.设置ldap的组和grafana的org对应关系
注意ou=Groups,而登录用户的ou=Users
# 第一个组
[[servers.group_mappings]]
group_dn = "cn=confluence-users,ou=Groups,dc=test,dc=cn"
org_role = "Editor"
org_id = 3
# 第二个组
[[servers.group_mappings]]
group_dn = "cn=jira-software-users,ou=Groups,dc=test,dc=cn"
org_role = "Editor"
org_id = 4
[[servers.group_mappings]]
# 所有人都是该org的viewer
group_dn = "*"
org_role = "Viewer"
org_id = 2
ps:用户匹配上多个组则可以拥有多个组的多个权限
3.启用ldap认证
1.全局配置文件目录
root@b01a0d97c5af:/usr/share/grafana/conf# whereis grafana
grafana: /etc/grafana /usr/share/grafanaroot@b01a0d97c5af:/usr/share/grafana# cd /usr/share/grafana/conf/
root@b01a0d97c5af:/usr/share/grafana/conf# vi defaults.ini
2.修改配置
[auth.ldap]
enabled = true
完了之后重启grafana
4.创建grafana org
使用admin admin登录,创建org
一定要注意orgId和上面设置的mapping的org_id对应!
5.使用ldap账户登录
查看组和org是否对应正确 
验证正确!
参考:
install grafana with docker
grafana configuration
LDAP Authentication
ldap错误说明
遇到的问题:
1.如果search账户没对,grafana登录后台会报4条错误,如果search账户对了,则只报3条错误
t=2017-05-24T06:44:49+0000 lvl=info msg="LDAP initial bind failed, [LDAP Result Code 49 \"Invalid Credentials\": ]" //这个错误就是说search user bind cn没对
t=2017-05-24T06:44:49+0000 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="Invalid Username or Password"
t=2017-05-24T06:44:49+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=401 remote_addr=10.2.1.110 time_ms=46ns size=42
t=2017-05-24T06:44:49+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/api/login/ping status=401 remote_addr=10.2.1.110 time_ms=0s size=26来源:CSDN
作者:God_Ming
链接:https://blog.csdn.net/jinzhencs/article/details/72674001