Promote openldap-mac (#61332)

* Replace `openldap` with `openldap-mac` * Rename all references for `openldap-mac` * Rename prepopulated users with first names
2025-02-25 18:55:37 -06:00 · 2023-01-12 10:20:01 +01:00 · 2023-01-12 10:20:01 +01:00 · 8ba5f59fb7
commit 8ba5f59fb7
parent 7339dbc090
17 changed files with 24 additions and 596 deletions
--- a/devenv/docker/blocks/auth/README.md
+++ b/devenv/docker/blocks/auth/README.md
@ -26,7 +26,6 @@ by the `devenv` target.
 - [nginx_proxy_mac](./nginx_proxy_mac)
 - [oauth](./oauth)
 - [openldap](./openldap)
- [openldap-mac](./openldap-mac)
 - [openldap-multiple](./openldap-multiple)
 - [prometheus_basic_auth_proxy](./prometheus_basic_auth_proxy)
 - [saml](./saml)
--- a/devenv/docker/blocks/auth/openldap-mac/docker-compose.yaml
+++ b/devenv/docker/blocks/auth/openldap-mac/docker-compose.yaml
@ -1,14 +0,0 @@
-  openldap-mac:
-    container_name: ldap
-    image: osixia/openldap
-    environment:
-      LDAP_ORGANISATION: grafana
-      LDAP_DOMAIN: grafana.org
-      LDAP_ADMIN_PASSWORD: grafana
-      LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/
-    ports:
-      - 389:389
-      - 636:636
-    restart: unless-stopped
-    volumes:
-      - ./docker/blocks/auth/openldap-mac/prepopulate/:/tmp/smt/
--- a/devenv/docker/blocks/auth/openldap-mac/prepopulate/1_units.ldif
+++ b/devenv/docker/blocks/auth/openldap-mac/prepopulate/1_units.ldif
@ -1,9 +0,0 @@
-dn: ou=groups,dc=grafana,dc=org
-ou: Groups
-objectclass: top
-objectclass: organizationalUnit
-
-dn: ou=users,dc=grafana,dc=org
-ou: Users
-objectclass: top
-objectclass: organizationalUnit
--- a/devenv/docker/blocks/auth/openldap-mac/prepopulate/2_users.ldif
+++ b/devenv/docker/blocks/auth/openldap-mac/prepopulate/2_users.ldif
@ -1,108 +0,0 @@
-# ldap-admin
-dn: cn=ldap-admin,ou=users,dc=grafana,dc=org
-mail: ldap-admin@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-admin
-cn: ldap-admin
-
-dn: cn=ldap-editor,ou=users,dc=grafana,dc=org
-mail: ldap-editor@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-editor
-cn: ldap-editor
-
-dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org
-mail: ldap-viewer@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-viewer
-cn: ldap-viewer
-
-dn: cn=ldap-carl,ou=users,dc=grafana,dc=org
-mail: ldap-carl@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-carl
-cn: ldap-carl
-
-dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org
-mail: ldap-daniel@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-daniel
-cn: ldap-daniel
-
-dn: cn=ldap-leo,ou=users,dc=grafana,dc=org
-mail: ldap-leo@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-leo
-cn: ldap-leo
-
-dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org
-mail: ldap-tobias@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-tobias
-cn: ldap-tobias
-
-dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org
-mail: ldap-torkel@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-torkel
-cn: ldap-torkel
-
-# admin for posix group (without support for memberOf attribute)
-dn: uid=ldap-posix-admin,ou=users,dc=grafana,dc=org
-mail: ldap-posix-admin@grafana.com
-userPassword: grafana
-objectclass: top
-objectclass: posixAccount
-objectclass: inetOrgPerson
-homedirectory: /home/ldap-posix-admin
-sn: ldap-posix-admin
-cn: ldap-posix-admin
-uid: ldap-posix-admin
-uidnumber: 1
-gidnumber: 1
-
-# user for posix group (without support for memberOf attribute)
-dn: uid=ldap-posix,ou=users,dc=grafana,dc=org
-mail: ldap-posix@grafana.com
-userPassword: grafana
-objectclass: top
-objectclass: posixAccount
-objectclass: inetOrgPerson
-homedirectory: /home/ldap-posix
-sn: ldap-posix
-cn: ldap-posix
-uid: ldap-posix
-uidnumber: 2
-gidnumber: 2
--- a/devenv/docker/blocks/auth/openldap-mac/prepopulate/3_groups.ldif
+++ b/devenv/docker/blocks/auth/openldap-mac/prepopulate/3_groups.ldif
@ -1,43 +0,0 @@
-dn: cn=admins,ou=groups,dc=grafana,dc=org
-cn: admins
-objectClass: groupOfUniqueNames
-objectClass: top
-uniqueMember: cn=ldap-admin,ou=users,dc=grafana,dc=org
-uniqueMember: cn=ldap-torkel,ou=users,dc=grafana,dc=org
-
-dn: cn=editors,ou=groups,dc=grafana,dc=org
-cn: editors
-objectClass: groupOfUniqueNames
-uniqueMember: cn=ldap-editor,ou=users,dc=grafana,dc=org
-
-dn: cn=backend,ou=groups,dc=grafana,dc=org
-cn: backend
-objectClass: groupOfUniqueNames
-uniqueMember: cn=ldap-carl,ou=users,dc=grafana,dc=org
-uniqueMember: cn=ldap-leo,ou=users,dc=grafana,dc=org
-uniqueMember: cn=ldap-torkel,ou=users,dc=grafana,dc=org
-
-dn: cn=frontend,ou=groups,dc=grafana,dc=org
-cn: frontend
-objectClass: groupOfUniqueNames
-uniqueMember: cn=ldap-torkel,ou=users,dc=grafana,dc=org
-uniqueMember: cn=ldap-daniel,ou=users,dc=grafana,dc=org
-uniqueMember: cn=ldap-leo,ou=users,dc=grafana,dc=org
-
-# -- POSIX --
-
-# posix admin group (without support for memberOf attribute)
-dn: cn=posix-admins,ou=groups,dc=grafana,dc=org
-cn: admins
-objectClass: top
-objectClass: posixGroup
-gidNumber: 1
-memberUid: ldap-posix-admin
-
-# posix group (without support for memberOf attribute)
-dn: cn=posix,ou=groups,dc=grafana,dc=org
-cn: viewers
-objectClass: top
-objectClass: posixGroup
-gidNumber: 2
-memberUid: ldap-posix
--- a/devenv/docker/blocks/auth/openldap/Dockerfile
+++ b/devenv/docker/blocks/auth/openldap/Dockerfile
@ -1,32 +0,0 @@
-# Fork of https://github.com/dinkel/docker-openldap
-
-FROM debian:jessie
-
-LABEL maintainer="Grafana team <hello@grafana.com>"
-
-ENV OPENLDAP_VERSION 2.4.40
-
-RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
-        slapd=${OPENLDAP_VERSION}* \
-        ldap-utils && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
-
-RUN mv /etc/ldap /etc/ldap.dist
-
-EXPOSE 389
-
-VOLUME ["/etc/ldap", "/var/lib/ldap"]
-
-COPY ldap.conf /etc/ldap.dist/ldap.conf
-
-COPY modules/ /etc/ldap.dist/modules
-COPY prepopulate/ /etc/ldap.dist/prepopulate
-
-COPY entrypoint.sh /entrypoint.sh
-COPY prepopulate.sh /prepopulate.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
-
-CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]
--- a/devenv/docker/blocks/auth/openldap-mac/README.md
+++ b/devenv/docker/blocks/auth/openldap-mac/README.md
@ -7,7 +7,7 @@ This Docker block is an updated version from [OpenLDAP](../openldap/) block. Thi
 First build and deploy the `openldap` container.

 ```bash
-make devenv sources=auth/openldap-mac
+make devenv sources=auth/openldap
 ```

 ### Exposed ports
--- a/devenv/docker/blocks/auth/openldap/docker-compose.yaml
+++ b/devenv/docker/blocks/auth/openldap/docker-compose.yaml
@ -1,11 +1,14 @@
  openldap:
    container_name: ldap
-    build: docker/blocks/auth/openldap
+    image: osixia/openldap
    environment:
-      SLAPD_PASSWORD: grafana
-      SLAPD_DOMAIN: grafana.org
-      SLAPD_ADDITIONAL_MODULES: memberof
+      LDAP_ORGANISATION: grafana
+      LDAP_DOMAIN: grafana.org
+      LDAP_ADMIN_PASSWORD: grafana
+      LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/
    ports:
-      - "389:389"
-
-
+      - 389:389
+      - 636:636
+    restart: unless-stopped
+    volumes:
+      - ./docker/blocks/auth/openldap/prepopulate/:/tmp/smt/
--- a/devenv/docker/blocks/auth/openldap/entrypoint.sh
+++ b/devenv/docker/blocks/auth/openldap/entrypoint.sh
@ -1,94 +0,0 @@
-#!/bin/bash
-
-# When not limiting the open file descriptors limit, the memory consumption of
-# slapd is absurdly high. See https://github.com/docker/docker/issues/8231
-ulimit -n 8192
-
-
-set -e
-
-chown -R openldap:openldap /var/lib/ldap/
-
-if [[ ! -d /etc/ldap/slapd.d ]]; then
-
-    if [[ -z "$SLAPD_PASSWORD" ]]; then
-        echo -n >&2 "Error: Container not configured and SLAPD_PASSWORD not set. "
-        echo >&2 "Did you forget to add -e SLAPD_PASSWORD=... ?"
-        exit 1
-    fi
-
-    if [[ -z "$SLAPD_DOMAIN" ]]; then
-        echo -n >&2 "Error: Container not configured and SLAPD_DOMAIN not set. "
-        echo >&2 "Did you forget to add -e SLAPD_DOMAIN=... ?"
-        exit 1
-    fi
-
-    SLAPD_ORGANIZATION="${SLAPD_ORGANIZATION:-${SLAPD_DOMAIN}}"
-
-    cp -a /etc/ldap.dist/* /etc/ldap
-
-    cat <<-EOF | debconf-set-selections
-        slapd slapd/no_configuration boolean false
-        slapd slapd/password1 password $SLAPD_PASSWORD
-        slapd slapd/password2 password $SLAPD_PASSWORD
-        slapd shared/organization string $SLAPD_ORGANIZATION
-        slapd slapd/domain string $SLAPD_DOMAIN
-        slapd slapd/backend select HDB
-        slapd slapd/allow_ldap_v2 boolean false
-        slapd slapd/purge_database boolean false
-        slapd slapd/move_old_database boolean true
-EOF
-
-    dpkg-reconfigure -f noninteractive slapd >/dev/null 2>&1
-
-    dc_string=""
-
-    IFS="."; declare -a dc_parts=($SLAPD_DOMAIN)
-
-    for dc_part in "${dc_parts[@]}"; do
-        dc_string="$dc_string,dc=$dc_part"
-    done
-
-    if [[ -n "$SLAPD_CONFIG_PASSWORD" ]]; then
-        password_hash=`slappasswd -s "${SLAPD_CONFIG_PASSWORD}"`
-
-        sed_safe_password_hash=${password_hash//\//\\\/}
-
-        slapcat -n0 -F /etc/ldap/slapd.d -l /tmp/config.ldif
-        sed -i "s/\(olcRootDN: cn=admin,cn=config\)/\1\nolcRootPW: ${sed_safe_password_hash}/g" /tmp/config.ldif
-        rm -rf /etc/ldap/slapd.d/*
-        slapadd -n0 -F /etc/ldap/slapd.d -l /tmp/config.ldif >/dev/null 2>&1
-    fi
-
-    if [[ -n "$SLAPD_ADDITIONAL_SCHEMAS" ]]; then
-        IFS=","; declare -a schemas=($SLAPD_ADDITIONAL_SCHEMAS); unset IFS
-
-        for schema in "${schemas[@]}"; do
-            slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/schema/${schema}.ldif" >/dev/null 2>&1
-        done
-    fi
-
-    if [[ -n "$SLAPD_ADDITIONAL_MODULES" ]]; then
-        IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES); unset IFS
-
-        for module in "${modules[@]}"; do
-          echo "Adding module ${module}"
-          slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
-        done
-    fi
-
-    # This needs to run in background
-    # Will prepopulate entries after ldap daemon has started
-    ./prepopulate.sh &
-
-    chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/
-else
-    slapd_configs_in_env=`env | grep 'SLAPD_'`
-
-    if [ -n "${slapd_configs_in_env:+x}" ]; then
-        echo "Info: Container already configured, therefore ignoring SLAPD_xxx environment variables"
-    fi
-fi
-
-exec "$@"
-
--- a/devenv/docker/blocks/auth/openldap/ldap.conf
+++ b/devenv/docker/blocks/auth/openldap/ldap.conf
@ -1,16 +0,0 @@
-#
-# LDAP Defaults
-#
-
-# See ldap.conf(5) for details
-# This file should be world readable but not world writable.
-
-BASE dc=grafana,dc=org
-#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
-
-SIZELIMIT	1000
-#TIMELIMIT	15
-#DEREF		never
-
-# TLS certificates (needed for GnuTLS)
-TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
--- a/devenv/docker/blocks/auth/openldap/ldap_dev.toml
+++ b/devenv/docker/blocks/auth/openldap/ldap_dev.toml
@ -1,54 +0,0 @@
-# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
-# [log]
-# filters = ldap:debug
-
-[[servers]]
-# Ldap server host (specify multiple hosts space separated)
-host = "127.0.0.1"
-# Default port is 389 or 636 if use_ssl = true
-port = 389
-# Set to true if ldap server supports TLS
-use_ssl = false
-# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
-start_tls = false
-# set to true if you want to skip ssl cert validation
-ssl_skip_verify = false
-# set to the path to your root CA certificate or leave unset to use system defaults
-# root_ca_cert = "/path/to/certificate.crt"
-
-# Search user bind dn
-bind_dn = "cn=admin,dc=grafana,dc=org"
-# Search user bind password
-# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = 'grafana'
-
-# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
-search_filter = "(cn=%s)"
-
-# An array of base dns to search through
-search_base_dns = ["dc=grafana,dc=org"]
-
-# Specify names of the ldap attributes your ldap uses
-[servers.attributes]
-name = "givenName"
-surname = "sn"
-username = "cn"
-member_of = "memberOf"
-email =  "email"
-
-# Map ldap groups to grafana org roles
-[[servers.group_mappings]]
-group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
-org_role = "Admin"
-grafana_admin = true
-# The Grafana organization database id, optional, if left out the default org (id 1) will be used
-# org_id = 1
-
-[[servers.group_mappings]]
-group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
-org_role = "Editor"
-
-[[servers.group_mappings]]
-# If you want to match all (or no ldap groups) then you can use wildcard
-group_dn = "*"
-org_role = "Viewer"
--- a/devenv/docker/blocks/auth/openldap/ldap_posix_dev.toml
+++ b/devenv/docker/blocks/auth/openldap/ldap_posix_dev.toml
@ -1,57 +0,0 @@
-# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
-# [log]
-# filters = ldap:debug
-
-[[servers]]
-# Ldap server host (specify multiple hosts space separated)
-host = "127.0.0.1"
-# Default port is 389 or 636 if use_ssl = true
-port = 389
-# Set to true if ldap server supports TLS
-use_ssl = false
-# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
-start_tls = false
-# set to true if you want to skip ssl cert validation
-ssl_skip_verify = false
-# set to the path to your root CA certificate or leave unset to use system defaults
-# root_ca_cert = "/path/to/certificate.crt"
-
-# Search user bind dn
-bind_dn = "cn=admin,dc=grafana,dc=org"
-# Search user bind password
-# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
-bind_password = 'grafana'
-
-# An array of base dns to search through
-search_base_dns = ["dc=grafana,dc=org"]
-
-search_filter = "(uid=%s)"
-
-group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-group_search_filter_user_attribute = "uid"
-group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
-
-[servers.attributes]
-name = "givenName"
-surname = "sn"
-username = "cn"
-member_of = "memberOf"
-email =  "email"
-
-# Map ldap groups to grafana org roles
-[[servers.group_mappings]]
-group_dn = "cn=posix-admins,ou=groups,dc=grafana,dc=org"
-org_role = "Admin"
-grafana_admin = true
-
-# The Grafana organization database id, optional, if left out the default org (id 1) will be used
-# org_id = 1
-
-[[servers.group_mappings]]
-group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
-org_role = "Editor"
-
-[[servers.group_mappings]]
-# If you want to match all (or no ldap groups) then you can use wildcard
-group_dn = "*"
-org_role = "Viewer"
--- a/devenv/docker/blocks/auth/openldap/modules/memberof.ldif
+++ b/devenv/docker/blocks/auth/openldap/modules/memberof.ldif
@ -1,33 +0,0 @@
-dn: cn=module,cn=config
-cn: module
-objectClass: olcModuleList
-objectClass: top
-olcModulePath: /usr/lib/ldap
-olcModuleLoad: memberof.la
-
-dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
-objectClass: olcConfig
-objectClass: olcMemberOf
-objectClass: olcOverlayConfig
-objectClass: top
-olcOverlay: memberof
-olcMemberOfDangling: ignore
-olcMemberOfRefInt: TRUE
-olcMemberOfGroupOC: groupOfNames
-olcMemberOfMemberAD: member
-olcMemberOfMemberOfAD: memberOf
-
-dn: cn=module,cn=config
-cn: module
-objectClass: olcModuleList
-objectClass: top
-olcModulePath: /usr/lib/ldap
-olcModuleLoad: refint.la
-
-dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
-objectClass: olcConfig
-objectClass: olcOverlayConfig
-objectClass: olcRefintConfig
-objectClass: top
-olcOverlay: {1}refint
-olcRefintAttribute: memberof member manager owner
--- a/devenv/docker/blocks/auth/openldap/notes.md
+++ b/devenv/docker/blocks/auth/openldap/notes.md
@ -1,50 +0,0 @@
-# Notes on OpenLdap Docker Block
-
-Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database.
-
-Note that users that are added here need to specify a `memberOf` attribute manually as well as the `member` attribute for the group. The `memberOf` module usually does this automatically (if you add a group in Apache Directory Studio for example) but this does not work in the entrypoint script as it uses the `slapadd` command to add entries before the server has started and before the `memberOf` module is loaded.
-
-After adding ldif files to `prepopulate`:
-
-1. Remove your current docker image: `docker rm docker_openldap_1`
-2. Build: `docker-compose build`
-3. `docker-compose up`
-
-## Enabling LDAP in Grafana
-
-If you want to use users/groups with `memberOf` support Copy the ldap_dev.toml file in this folder into your `conf` folder (it is gitignored already). To enable it in the .ini file to get Grafana to use this block:
-
-```ini
-[auth.ldap]
-enabled = true
-config_file = conf/ldap_dev.toml
-; allow_sign_up = true
-```
-
-Otherwise perform same actions for `ldap_dev_posix.toml` config.
-
-## Groups & Users
-
- admins
-  - ldap-admin
-  - ldap-torkel
- backend
-  - ldap-carl
-  - ldap-torkel
-  - ldap-leo
- frontend
-  - ldap-torkel
-  - ldap-tobias
-  - ldap-daniel
- editors
-  - ldap-editors
- no groups
-  - ldap-viewer
-
-
-## Groups & Users (POSIX)
-
- admins
-  - ldap-posix-admin
- no groups
-  - ldap-posix
--- a/devenv/docker/blocks/auth/openldap/prepopulate.sh
+++ b/devenv/docker/blocks/auth/openldap/prepopulate.sh
@ -1,14 +0,0 @@
-#!/bin/bash
-
-echo "Pre-populating ldap entries, first waiting for ldap to start"
-
-sleep 3
-
-adminUserDn="cn=admin,dc=grafana,dc=org"
-adminPassword="grafana"
-
-for file in `ls /etc/ldap/prepopulate/*.ldif`; do
-  ldapadd -x -D $adminUserDn -w $adminPassword -f "$file"
-done
-
-
--- a/devenv/docker/blocks/auth/openldap/prepopulate/2_users.ldif
+++ b/devenv/docker/blocks/auth/openldap/prepopulate/2_users.ldif
@ -29,56 +29,6 @@ objectClass: organizationalPerson
 sn: ldap-viewer
 cn: ldap-viewer

-dn: cn=ldap-carl,ou=users,dc=grafana,dc=org
-mail: ldap-carl@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-carl
-cn: ldap-carl
-
-dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org
-mail: ldap-daniel@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-daniel
-cn: ldap-daniel
-
-dn: cn=ldap-leo,ou=users,dc=grafana,dc=org
-mail: ldap-leo@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-leo
-cn: ldap-leo
-
-dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org
-mail: ldap-tobias@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-tobias
-cn: ldap-tobias
-
-dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org
-mail: ldap-torkel@grafana.com
-userPassword: grafana
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-objectClass: organizationalPerson
-sn: ldap-torkel
-cn: ldap-torkel
-
 # admin for posix group (without support for memberOf attribute)
 dn: uid=ldap-posix-admin,ou=users,dc=grafana,dc=org
 mail: ldap-posix-admin@grafana.com
--- a/devenv/docker/blocks/auth/openldap/prepopulate/3_groups.ldif
+++ b/devenv/docker/blocks/auth/openldap/prepopulate/3_groups.ldif
@ -1,28 +1,28 @@
 dn: cn=admins,ou=groups,dc=grafana,dc=org
 cn: admins
-objectClass: groupOfNames
+objectClass: groupOfUniqueNames
 objectClass: top
-member: cn=ldap-admin,ou=users,dc=grafana,dc=org
-member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+uniqueMember: cn=ldap-admin,ou=users,dc=grafana,dc=org
+uniqueMember: cn=ldap-torkel,ou=users,dc=grafana,dc=org

 dn: cn=editors,ou=groups,dc=grafana,dc=org
 cn: editors
-objectClass: groupOfNames
-member: cn=ldap-editor,ou=users,dc=grafana,dc=org
+objectClass: groupOfUniqueNames
+uniqueMember: cn=ldap-editor,ou=users,dc=grafana,dc=org

 dn: cn=backend,ou=groups,dc=grafana,dc=org
 cn: backend
-objectClass: groupOfNames
-member: cn=ldap-carl,ou=users,dc=grafana,dc=org
-member: cn=ldap-leo,ou=users,dc=grafana,dc=org
-member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+objectClass: groupOfUniqueNames
+uniqueMember: cn=ldap-carl,ou=users,dc=grafana,dc=org
+uniqueMember: cn=ldap-leo,ou=users,dc=grafana,dc=org
+uniqueMember: cn=ldap-torkel,ou=users,dc=grafana,dc=org

 dn: cn=frontend,ou=groups,dc=grafana,dc=org
 cn: frontend
-objectClass: groupOfNames
-member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
-member: cn=ldap-daniel,ou=users,dc=grafana,dc=org
-member: cn=ldap-leo,ou=users,dc=grafana,dc=org
+objectClass: groupOfUniqueNames
+uniqueMember: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+uniqueMember: cn=ldap-daniel,ou=users,dc=grafana,dc=org
+uniqueMember: cn=ldap-leo,ou=users,dc=grafana,dc=org

 # -- POSIX --