grafana/conf/ldap.toml

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "127.0.0.1"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
tls_ciphers = []
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.
min_tls_version = ""
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=grafana,dc=org"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'grafana'
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
# bind_password = '$__env{LDAP_BIND_PASSWORD}'

# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))
timeout = 10

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(cn=%s)"

# An array of base dns to search through
search_base_dns = ["dc=grafana,dc=org"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"
feat(ldap): better ldap logging, closes #6918 2016-12-14 15:01:02 -06:00			`# To troubleshoot and get more log info enable ldap debug logging in grafana.ini`
			`# [log]`
			`# filters = ldap:debug`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00
			`[[servers]]`
Support multiple space-separated LDAP hosts Signed-off-by: Alex Bligh <alex@alex.org.uk> 2015-10-11 11:14:46 -05:00			`# Ldap server host (specify multiple hosts space separated)`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`host = "127.0.0.1"`
docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# Default port is 389 or 636 if use_ssl = true`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`port = 389`
LDAP: Update use_ssl documentation (#29964) 2020-12-23 02:14:02 -06:00			`# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`use_ssl = false`
LDAP: Update use_ssl documentation (#29964) 2020-12-23 02:14:02 -06:00			`# If set to true, use LDAP with STARTTLS instead of LDAPS`
support connect ldap server with starttls (#5969) * support connect ldap server with starttls * add more doc for start_tls option 2016-09-10 02:40:57 -05:00			`start_tls = false`
LDAP: Allow setting minimum TLS version and accepted ciphers (#63646) * update ldap library and use go module path * add TLS min version and accepted min TLS version * set default min ver to library default * set default min ver to library default * add cipher list to toml * Update pkg/services/ldap/settings.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Apply suggestions from code review Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * lint --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> 2023-02-28 05:13:46 -06:00			`# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])`
			`# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go`
			`tls_ciphers = []`
			`# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.`
			`min_tls_version = ""`
feat(ldap): added config options for ssl skip verify, and ssl server name, #1450 2015-07-16 04:57:59 -05:00			`# set to true if you want to skip ssl cert validation`
			`ssl_skip_verify = false`
Allow user specified CA certs Signed-off-by: Alex Bligh <alex@alex.org.uk> 2015-10-11 11:38:33 -05:00			`# set to the path to your root CA certificate or leave unset to use system defaults`
Fix ldap ca_cert example/docs for proper syntax (#8044) 2017-04-06 02:53:11 -05:00			`# root_ca_cert = "/path/to/certificate.crt"`
Support client certificates for LDAP servers 2018-08-03 05:00:20 -05:00			`# Authentication against LDAP servers requiring client certificates`
			`# client_cert = "/path/to/client.crt"`
			`# client_key = "/path/to/client.key"`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00
docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# Search user bind dn`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`bind_dn = "cn=admin,dc=grafana,dc=org"`
docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# Search user bind password`
Update ldap.toml 2018-02-15 12:41:15 -06:00			`# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""`
fix(ldap conf): updated ldap conf example to use literal string syntax for bind_password 2015-07-18 02:30:09 -05:00			`bind_password = 'grafana'`
Docs: Add variable expansion recommendation (#56368) * docs: add variable expansion recommendation * docs: updated the ldap docs in configure grafana 2022-10-07 11:04:37 -05:00			`# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion`
			`# bind_password = '$__env{LDAP_BIND_PASSWORD}'`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00
LDAP: Allow specifying LDAP timeout (#48870) * Allow specifying LDAP timeout * Update docs/sources/auth/ldap.md Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> * LDAP timeout: Add annotations; Make functions "private" * Setting the default timeout if unspecified * fix goimports lint issue Co-authored-by: brendamuir <100768211+brendamuir@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 01:52:54 -05:00			`# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))`
			`timeout = 10`

feat(ldap): refactoring of PR #2928 updated docs 2015-10-26 10:21:03 -05:00			`# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`search_filter = "(cn=%s)"`
feat(ldap): refactoring of PR #2928 updated docs 2015-10-26 10:21:03 -05:00
docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# An array of base dns to search through`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`search_base_dns = ["dc=grafana,dc=org"]`

ldap: made minor change to group search, and to docs 2018-09-14 04:28:17 -05:00			`## For Posix or LDAP setups that does not support member_of attribute you can define the below settings`
			`## Please check grafana LDAP docs for examples`
Add support for POSIX LDAP schema In the POSIX LDAP schema, there is no 'memberOf' attribute returned in relation to which groups a person is a member of. Rather, it is necessary to query the group objects which have the people as members. This commit adds an additional filter, which if specified explicitly searches for groups, rather than relying on the 'memberOf' attribute. This enables Grafana to work with LDAP POSIX schema (e.g. OpenLDAP etc.) Signed-off-by: Alex Bligh <alex@alex.org.uk> 2015-10-13 13:36:21 -05:00			`# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"`
			`# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]`
ldap: made minor change to group search, and to docs 2018-09-14 04:28:17 -05:00			`# group_search_filter_user_attribute = "uid"`
Add support for POSIX LDAP schema In the POSIX LDAP schema, there is no 'memberOf' attribute returned in relation to which groups a person is a member of. Rather, it is necessary to query the group objects which have the people as members. This commit adds an additional filter, which if specified explicitly searches for groups, rather than relying on the 'memberOf' attribute. This enables Grafana to work with LDAP POSIX schema (e.g. OpenLDAP etc.) Signed-off-by: Alex Bligh <alex@alex.org.uk> 2015-10-13 13:36:21 -05:00
docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# Specify names of the ldap attributes your ldap uses`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`[servers.attributes]`
			`name = "givenName"`
			`surname = "sn"`
			`username = "cn"`
			`member_of = "memberOf"`
			`email = "email"`

docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# Map ldap groups to grafana org roles`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`[[servers.group_mappings]]`
LDAP: Align ldap example with the devenv testdata (#18343) 2019-08-02 05:00:13 -05:00			`group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`org_role = "Admin"`
docs: minor docs fix 2018-07-18 06:20:28 -05:00			`# To make user an instance admin (Grafana Admin) uncomment line below`
ldap: Make it possible to define Grafana admins via ldap setup, closes #2469 2018-07-16 09:56:42 -05:00			`# grafana_admin = true`
docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# The Grafana organization database id, optional, if left out the default org (id 1) will be used`
			`# org_id = 1`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00
fix(ldap): minor fixes, should not have any real impact, #2421 2015-08-01 03:28:43 -05:00			`[[servers.group_mappings]]`
LDAP: inline toml with devenv (#57499) 2022-10-24 04:01:58 -05:00			`group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`org_role = "Editor"`

			`[[servers.group_mappings]]`
docs(ldap): added ldap integration docs and config examples, #1450 2015-07-15 07:48:39 -05:00			`# If you want to match all (or no ldap groups) then you can use wildcard`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 03:08:23 -05:00			`group_dn = "*"`
			`org_role = "Viewer"`