IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-21 16:38:03 -06:00
Code Issues Packages Projects Releases Wiki Activity

LDAP: Add guide on how to configure LDAP with TLS (#91686)

Browse Source 
add guide on how to configure LDAP with TLS
This commit is contained in:
Mihai Doarna 2024-08-08 15:29:00 +03:00 committed by GitHub
parent 0e5d7633f7
commit 37f198d5e8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -87,6 +87,7 @@ example-apiserver/
/devenv/docker/blocks/tempo/tempo-data/ /devenv/docker/blocks/tempo/tempo-data/
/devenv/docker/ha-test-unified-alerting/logs/webhook/dumps/ /devenv/docker/ha-test-unified-alerting/logs/webhook/dumps/
/devenv/docker/ha-test-unified-alerting/logs/webhook/webhook-listener.log /devenv/docker/ha-test-unified-alerting/logs/webhook/webhook-listener.log
/devenv/docker/blocks/auth/openldap/certs/
conf/custom.ini conf/custom.ini

40
devenv/docker/blocks/auth/openldap/README.md
View File

@ -53,4 +53,42 @@ The default configuration between Grafana and the OpenLDAP container is configur
- admins - admins
- ldap-posix-admin - ldap-posix-admin
- no groups - no groups
- ldap-posix - ldap-posix
## Configure LDAP with TLS
After the `openldap` container has been deployed, you have to copy the CA from the docker container:
```bash
# get the container ID
docker ps
docker cp CONTAINER-ID:"/container/service/:ssl-tools/assets/default-ca/default-ca.pem" devenv/docker/blocks/auth/openldap/certs
```
To configure TLS you need the following lines in the .toml file under the `[[servers]]` section:
```ini
tls_ciphers = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
min_tls_version = "TLS1.2"
ssl_skip_verify = true
root_ca_cert = "devenv/docker/blocks/auth/openldap/certs/default-ca.pem"
client_cert = "devenv/docker/blocks/auth/openldap/certs/ldap.crt"
client_key = "devenv/docker/blocks/auth/openldap/certs/ldap.key"
```
For simplicity, the same private key is shared between the server and the client. To generate your own private keys and certificates please follow this guide: https://enlook.wordpress.com/2015/09/30/howto-generate-certificate-for-openldap-and-using-it-for-certificate-authentication/.
- To connect over LDAPS include this config:
```ini
port = 636
use_ssl = true
start_tls = false
```
- To connect with STARTTLS use this config:
```ini
port = 389
use_ssl = true
start_tls = true
```

5
devenv/docker/blocks/auth/openldap/docker-compose.yaml
View File

@ -6,9 +6,14 @@
LDAP_DOMAIN: grafana.org LDAP_DOMAIN: grafana.org
LDAP_ADMIN_PASSWORD: grafana LDAP_ADMIN_PASSWORD: grafana
LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/ LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/
LDAP_TLS_CRT_FILENAME: ldap.crt
LDAP_TLS_KEY_FILENAME: ldap.key
LDAP_TLS_CA_CRT_FILENAME: ca.crt
LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
ports: ports:
- 389:389 - 389:389
- 636:636 - 636:636
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ./docker/blocks/auth/openldap/prepopulate/:/tmp/smt/ - ./docker/blocks/auth/openldap/prepopulate/:/tmp/smt/
- ./docker/blocks/auth/openldap/certs/:/container/service/slapd/assets/certs/