Puppet Class: grafana::auth::ldap

Inherits:
::grafana::params
Defined in:
manifests/auth/ldap.pp

Overview

Configures Grafana for LDAP authentication.

Examples:

Configure Grafana to use OpenLDAP

class { '::grafana':
  admin_password => 'admin',
  secret_key     => 'abc123',
}
class { '::grafana::ldap':
  bind_dn               => 'cn=Manager,dc=example,dc=com',
  bind_password         => 'secret',
  group_search_base_dns => ['ou=groups,dc=example,dc=com'],
  group_search_filter   => '(&(objectClass=posixGroup)(memberUid=%s))',
  hosts                 => ['127.0.0.1'],
  search_base_dns       => ['ou=people,dc=example,dc=com'],
  search_filter         => '(uid=%s)',
  attributes            => {
    'name'      => 'givenName',
    'surname'   => 'sn',
    'username'  => 'uid',
    'member_of' => 'cn',
    'email'     => 'mail',
  },
  group_mappings        => [
    {
      'group_dn' => 'admin',
      'org_role' => 'Admin',
    },
  ],
}

Parameters:

  • attributes (Grafana::LDAP::Attributes) (defaults to: { 'name' => 'givenName', 'surname' => 'sn', 'username' => 'cn', 'member_of' => 'memberOf', 'email' => 'email', })

    LDAP attribute mappings.

  • bind_dn (Bodgitlib::LDAP::DN)

    The distinguished name to bind with.

  • bind_password (Optional[String]) (defaults to: undef)

    The password to bind with.

  • conf_file (Stdlib::Absolutepath) (defaults to: $::grafana::params::ldap_toml)

    Path to the LDAP configuration file, usually /etc/grafana/ldap.toml.

  • group_mappings (Optional[Array[Grafana::LDAP::Mappings, 1]]) (defaults to: undef)

    Mappings of LDAP group distinguished names to Grafana roles and organisations.

  • group_search_base_dns (Optional[Array[Bodgitlib::LDAP::DN, 1]]) (defaults to: undef)

    List of search bases for group searches.

  • group_search_filter (Optional[Bodgitlib::LDAP::Filter]) (defaults to: undef)

    Search filter to apply to group searches.

  • group_search_filter_user_attribute (Optional[String]) (defaults to: undef)
  • hosts (Array[Bodgitlib::Host, 1])

    List of LDAP servers to use.

  • port (Bodgitlib::Port) (defaults to: 389)

    The port to use.

  • root_ca_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Certificate used to validate SSL/TLS connections.

  • search_base_dns (Array[Bodgitlib::LDAP::DN, 1])

    List of search bases for user searches.

  • search_filter (Bodgitlib::LDAP::Filter)

    Search filter to apply to user searches.

  • ssl_skip_verify (Optional[Boolean]) (defaults to: undef)

    Whether to skip SSL/TLS verification.

  • start_tls (Optional[Boolean]) (defaults to: undef)

    Whether to use STARTTLS for normal LDAP connections.

  • use_ssl (Optional[Boolean]) (defaults to: undef)

    Whether to connect using LDAPS instead of LDAP.

  • verbose_logging (Optional[Boolean]) (defaults to: undef)

    Verbose logging.

See Also:



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'manifests/auth/ldap.pp', line 52

class grafana::auth::ldap (
  Bodgitlib::LDAP::DN                         $bind_dn,
  Array[Bodgitlib::Host, 1]                   $hosts,
  Array[Bodgitlib::LDAP::DN, 1]               $search_base_dns,
  Bodgitlib::LDAP::Filter                     $search_filter,
  Grafana::LDAP::Attributes                   $attributes                         = {
    'name'      => 'givenName',
    'surname'   => 'sn',
    'username'  => 'cn',
    'member_of' => 'memberOf',
    'email'     => 'email',
  },
  Optional[String]                            $bind_password                      = undef,
  Stdlib::Absolutepath                        $conf_file                          = $::grafana::params::ldap_toml,
  Optional[Array[Grafana::LDAP::Mappings, 1]] $group_mappings                     = undef,
  Optional[Array[Bodgitlib::LDAP::DN, 1]]     $group_search_base_dns              = undef,
  Optional[Bodgitlib::LDAP::Filter]           $group_search_filter                = undef,
  Optional[String]                            $group_search_filter_user_attribute = undef,
  Bodgitlib::Port                             $port                               = 389,
  Optional[Stdlib::Absolutepath]              $root_ca_cert                       = undef,
  Optional[Boolean]                           $ssl_skip_verify                    = undef,
  Optional[Boolean]                           $start_tls                          = undef,
  Optional[Boolean]                           $use_ssl                            = undef,
  Optional[Boolean]                           $verbose_logging                    = undef,
) inherits ::grafana::params {

  if ! defined(Class['::grafana']) {
    fail('You must include the grafana base class before using the grafana::auth::ldap class')
  }

  file { $conf_file:
    ensure  => file,
    owner   => 0,
    group   => $::grafana::group,
    mode    => '0640',
    content => template("${module_name}/ldap.toml.erb"),
    require => Class['::grafana::config'],
    before  => Grafana_ini_setting['auth.ldap/config_file'],
    notify  => Class['::grafana::service'],
  }

  $config = {
    'auth.ldap/enabled'     => true,
    'auth.ldap/config_file' => $conf_file,
  }

  $config.each |String $setting, Any $value| {
    grafana_ini_setting { $setting:
      value   => $value,
      require => Class['::grafana::config'],
      notify  => Class['::grafana::service'],
    }
  }
}