Feature: provide multildap server configuration (#16914)

* Feature: provide multildap server configuration

* Add multildap server configuration for devenv

* Change some of the notes for openldap devenv configuration

* Change the maintainer label for *main* dockerfile and of the devenv one

Re-checked the multildap logic - everything seems to be working fine

Dockerfile

@@ -35,6 +35,8 @@ RUN ./node_modules/.bin/grunt build
 # Final container
 FROM debian:stretch-slim
 
+LABEL maintainer="Grafana team <hello@grafana.com>"
+
 ARG GF_UID="472"
 ARG GF_GID="472"
 

devenv/docker/blocks/multiple-openldap/admins-ldap-server/Dockerfile

@@ -0,0 +1,30 @@
+# Fork of https://github.com/dinkel/docker-openldap
+
+FROM debian:jessie
+
+LABEL maintainer="Grafana team <hello@grafana.com>"
+
+ENV OPENLDAP_VERSION 2.4.40
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
+        slapd=${OPENLDAP_VERSION}* \
+        ldap-utils && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN mv /etc/ldap /etc/ldap.dist
+
+EXPOSE 389
+
+VOLUME ["/etc/ldap", "/var/lib/ldap"]
+
+COPY modules/ /etc/ldap.dist/modules
+COPY prepopulate/ /etc/ldap.dist/prepopulate
+
+COPY ../entrypoint.sh /entrypoint.sh
+COPY ../prepopulate.sh /prepopulate.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]

devenv/docker/blocks/multiple-openldap/admins-ldap-server/modules/memberof.ldif

@@ -0,0 +1,33 @@
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: memberof.la
+
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: refint.la
+
+dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof member manager owner

devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/1_units.ldif

@@ -0,0 +1,9 @@
+dn: ou=groups,dc=grafana,dc=org
+ou: Groups
+objectclass: top
+objectclass: organizationalUnit
+
+dn: ou=users,dc=grafana,dc=org
+ou: Users
+objectclass: top
+objectclass: organizationalUnit

devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/2_users.ldif

@@ -0,0 +1,20 @@
+# ldap-admin
+dn: cn=ldap-admin,ou=users,dc=grafana,dc=org
+mail: ldap-admin@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-admin
+cn: ldap-admin
+
+dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+mail: ldap-torkel@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-torkel
+cn: ldap-torkel

devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/3_groups.ldif

@@ -0,0 +1,6 @@
+dn: cn=admins,ou=groups,dc=grafana,dc=org
+cn: admins
+objectClass: groupOfNames
+objectClass: top
+member: cn=ldap-admin,ou=users,dc=grafana,dc=org
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org

devenv/docker/blocks/multiple-openldap/docker-compose.yaml

@@ -0,0 +1,19 @@
+  admins-openldap:
+    build: docker/blocks/multiple-openldap/admins-ldap-server
+    environment:
+      SLAPD_PASSWORD: grafana
+      SLAPD_DOMAIN: grafana.org
+      SLAPD_ADDITIONAL_MODULES: memberof
+    ports:
+      - "389:389"
+
+  openldap:
+    build: docker/blocks/multiple-openldap/ldap-server
+    environment:
+      SLAPD_PASSWORD: grafana
+      SLAPD_DOMAIN: grafana.org
+      SLAPD_ADDITIONAL_MODULES: memberof
+    ports:
+      - "388:389"
+
+

devenv/docker/blocks/multiple-openldap/entrypoint.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+
+# When not limiting the open file descritors limit, the memory consumption of
+# slapd is absurdly high. See https://github.com/docker/docker/issues/8231
+ulimit -n 8192
+
+
+set -e
+
+chown -R openldap:openldap /var/lib/ldap/
+
+if [[ ! -d /etc/ldap/slapd.d ]]; then
+
+    if [[ -z "$SLAPD_PASSWORD" ]]; then
+        echo -n >&2 "Error: Container not configured and SLAPD_PASSWORD not set. "
+        echo >&2 "Did you forget to add -e SLAPD_PASSWORD=... ?"
+        exit 1
+    fi
+
+    if [[ -z "$SLAPD_DOMAIN" ]]; then
+        echo -n >&2 "Error: Container not configured and SLAPD_DOMAIN not set. "
+        echo >&2 "Did you forget to add -e SLAPD_DOMAIN=... ?"
+        exit 1
+    fi
+
+    SLAPD_ORGANIZATION="${SLAPD_ORGANIZATION:-${SLAPD_DOMAIN}}"
+
+    cp -a /etc/ldap.dist/* /etc/ldap
+
+    cat <<-EOF | debconf-set-selections
+        slapd slapd/no_configuration boolean false
+        slapd slapd/password1 password $SLAPD_PASSWORD
+        slapd slapd/password2 password $SLAPD_PASSWORD
+        slapd shared/organization string $SLAPD_ORGANIZATION
+        slapd slapd/domain string $SLAPD_DOMAIN
+        slapd slapd/backend select HDB
+        slapd slapd/allow_ldap_v2 boolean false
+        slapd slapd/purge_database boolean false
+        slapd slapd/move_old_database boolean true
+EOF
+
+    dpkg-reconfigure -f noninteractive slapd >/dev/null 2>&1
+
+    dc_string=""
+
+    IFS="."; declare -a dc_parts=($SLAPD_DOMAIN)
+
+    for dc_part in "${dc_parts[@]}"; do
+        dc_string="$dc_string,dc=$dc_part"
+    done
+
+    base_string="BASE ${dc_string:1}"
+
+    sed -i "s/^#BASE.*/${base_string}/g" /etc/ldap/ldap.conf
+
+    if [[ -n "$SLAPD_CONFIG_PASSWORD" ]]; then
+        password_hash=`slappasswd -s "${SLAPD_CONFIG_PASSWORD}"`
+
+        sed_safe_password_hash=${password_hash//\//\\\/}
+
+        slapcat -n0 -F /etc/ldap/slapd.d -l /tmp/config.ldif
+        sed -i "s/\(olcRootDN: cn=admin,cn=config\)/\1\nolcRootPW: ${sed_safe_password_hash}/g" /tmp/config.ldif
+        rm -rf /etc/ldap/slapd.d/*
+        slapadd -n0 -F /etc/ldap/slapd.d -l /tmp/config.ldif >/dev/null 2>&1
+    fi
+
+    if [[ -n "$SLAPD_ADDITIONAL_SCHEMAS" ]]; then
+        IFS=","; declare -a schemas=($SLAPD_ADDITIONAL_SCHEMAS); unset IFS
+
+        for schema in "${schemas[@]}"; do
+            slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/schema/${schema}.ldif" >/dev/null 2>&1
+        done
+    fi
+
+    if [[ -n "$SLAPD_ADDITIONAL_MODULES" ]]; then
+        IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES); unset IFS
+
+        for module in "${modules[@]}"; do
+          echo "Adding module ${module}"
+          slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1
+        done
+    fi
+
+    # This needs to run in background
+    # Will prepopulate entries after ldap daemon has started
+    ./prepopulate.sh &
+
+    chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/
+else
+    slapd_configs_in_env=`env | grep 'SLAPD_'`
+
+    if [ -n "${slapd_configs_in_env:+x}" ]; then
+        echo "Info: Container already configured, therefore ignoring SLAPD_xxx environment variables"
+    fi
+fi
+
+exec "$@"
+

devenv/docker/blocks/multiple-openldap/ldap-server/Dockerfile

@@ -0,0 +1,30 @@
+# Fork of https://github.com/dinkel/docker-openldap
+
+FROM debian:jessie
+
+LABEL maintainer="Grafana team <hello@grafana.com>"
+
+ENV OPENLDAP_VERSION 2.4.40
+
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
+        slapd=${OPENLDAP_VERSION}* \
+        ldap-utils && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN mv /etc/ldap /etc/ldap.dist
+
+EXPOSE 389
+
+VOLUME ["/etc/ldap", "/var/lib/ldap"]
+
+COPY modules/ /etc/ldap.dist/modules
+COPY prepopulate/ /etc/ldap.dist/prepopulate
+
+COPY ../entrypoint.sh /entrypoint.sh
+COPY ../prepopulate.sh /prepopulate.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"]

devenv/docker/blocks/multiple-openldap/ldap-server/modules/memberof.ldif

@@ -0,0 +1,33 @@
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: memberof.la
+
+dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
+
+dn: cn=module,cn=config
+cn: module
+objectClass: olcModuleList
+objectClass: top
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: refint.la
+
+dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: {1}refint
+olcRefintAttribute: memberof member manager owner

devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/1_units.ldif

@@ -0,0 +1,9 @@
+dn: ou=groups,dc=grafana,dc=org
+ou: Groups
+objectclass: top
+objectclass: organizationalUnit
+
+dn: ou=users,dc=grafana,dc=org
+ou: Users
+objectclass: top
+objectclass: organizationalUnit

devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/2_users.ldif

@@ -0,0 +1,59 @@
+dn: cn=ldap-editor,ou=users,dc=grafana,dc=org
+mail: ldap-editor@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-editor
+cn: ldap-editor
+
+dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org
+mail: ldap-viewer@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-viewer
+cn: ldap-viewer
+
+dn: cn=ldap-carl,ou=users,dc=grafana,dc=org
+mail: ldap-carl@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-carl
+cn: ldap-carl
+
+dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org
+mail: ldap-daniel@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-daniel
+cn: ldap-daniel
+
+dn: cn=ldap-leo,ou=users,dc=grafana,dc=org
+mail: ldap-leo@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-leo
+cn: ldap-leo
+
+dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org
+mail: ldap-tobias@grafana.com
+userPassword: grafana
+objectClass: person
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+sn: ldap-tobias
+cn: ldap-tobias

devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/3_groups.ldif

@@ -0,0 +1,23 @@
+dn: cn=admins,ou=groups,dc=grafana,dc=org
+cn: admins
+objectClass: groupOfNames
+objectClass: top
+
+dn: cn=editors,ou=groups,dc=grafana,dc=org
+cn: editors
+objectClass: groupOfNames
+member: cn=ldap-editor,ou=users,dc=grafana,dc=org
+
+dn: cn=backend,ou=groups,dc=grafana,dc=org
+cn: backend
+objectClass: groupOfNames
+member: cn=ldap-carl,ou=users,dc=grafana,dc=org
+member: cn=ldap-leo,ou=users,dc=grafana,dc=org
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+
+dn: cn=frontend,ou=groups,dc=grafana,dc=org
+cn: frontend
+objectClass: groupOfNames
+member: cn=ldap-torkel,ou=users,dc=grafana,dc=org
+member: cn=ldap-daniel,ou=users,dc=grafana,dc=org
+member: cn=ldap-leo,ou=users,dc=grafana,dc=org

devenv/docker/blocks/multiple-openldap/ldap_dev.toml

@@ -0,0 +1,59 @@
+# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
+# [log]
+# filters = ldap:debug
+
+# For the verbose comments options see "openldap" env block
+
+# --- First LDAP Server (only admins) ---
+
+[[servers]]
+host = "127.0.0.1"
+port = 389
+use_ssl = false
+start_tls = false
+ssl_skip_verify = false
+bind_dn = "cn=admin,dc=grafana,dc=org"
+bind_password = 'grafana'
+search_filter = "(cn=%s)"
+search_base_dns = ["ou=users,dc=grafana,dc=org"]
+
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "cn"
+member_of = "memberOf"
+email =  "email"
+
+[[servers.group_mappings]]
+group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
+org_role = "Admin"
+grafana_admin = true
+
+# --- Second LDAP Server (rest of the users) ---
+
+[[servers]]
+host = "127.0.0.1"
+port = 388
+use_ssl = false
+start_tls = false
+ssl_skip_verify = false
+
+bind_dn = "cn=admin,dc=grafana,dc=org"
+bind_password = 'grafana'
+search_filter = "(cn=%s)"
+search_base_dns = ["ou=users,dc=grafana,dc=org"]
+
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "cn"
+member_of = "memberOf"
+email =  "email"
+
+[[servers.group_mappings]]
+group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
+org_role = "Editor"
+
+[[servers.group_mappings]]
+group_dn = "*"
+org_role = "Viewer"

devenv/docker/blocks/multiple-openldap/notes.md

@@ -0,0 +1,38 @@
+# Notes on Multiple OpenLdap Docker Block
+
+This is very similar to openldap docker block, but it creates multiple ldap servers instead of one.
+
+Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database.
+
+"admins-ldap-server" block contains admin group and admin users. The "ldap-server" block has all the rest of the users. See below for the full list of users.
+
+This blocks are here to help with testing multiple LDAP servers, for any other LDAP related development and testing "openldap" block should be used.
+
+## Enabling LDAP in Grafana
+
+Copy the ldap_dev.toml file in this folder into your `conf` folder (it is gitignored already). To enable it in the .ini file to get Grafana to use this block:
+
+```ini
+[auth.ldap]
+enabled = true
+config_file = conf/ldap_dev.toml
+; allow_sign_up = true
+```
+
+## Groups & Users
+
+admins
+  ldap-admin
+  ldap-torkel
+backend
+  ldap-carl
+  ldap-torkel
+  ldap-leo
+frontend
+  ldap-torkel
+  ldap-tobias
+  ldap-daniel
+editors
+  ldap-editor
+no groups
+  ldap-viewer

devenv/docker/blocks/multiple-openldap/prepopulate.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+echo "Pre-populating ldap entries, first waiting for ldap to start"
+
+sleep 3
+
+adminUserDn="cn=admin,dc=grafana,dc=org"
+adminPassword="grafana"
+
+for file in `ls /etc/ldap/prepopulate/*.ldif`; do
+  ldapadd -x -D $adminUserDn -w $adminPassword -f "$file"
+done
+
+

devenv/docker/blocks/openldap/Dockerfile

@@ -2,7 +2,7 @@
 
 FROM debian:jessie
 
-LABEL maintainer="Christian Luginbühl <dinke@pimprecords.com>"
+LABEL maintainer="Grafana team <hello@grafana.com>"
 
 ENV OPENLDAP_VERSION 2.4.40
 

devenv/docker/blocks/openldap/notes.md

@@ -2,8 +2,6 @@
 
 Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database.
 
-The ldif files add eight users, `ldap-admin`, `ldap-editor`, `ldap-viewer`, `ldap-carl`, `ldap-daniel`, `ldap-leo`, `ldap-tobias` and `ldap-torkel`. Two groups, `admins` and `users`, are added that correspond with the group mappings in the default conf/ldap.toml. `ldap-admin` is a member of `admins` and `ldap-editor` is a member of `users`.
-
 Note that users that are added here need to specify a `memberOf` attribute manually as well as the `member` attribute for the group. The `memberOf` module usually does this automatically (if you add a group in Apache Directory Studio for example) but this does not work in the entrypoint script as it uses the `slapadd` command to add entries before the server has started and before the `memberOf` module is loaded.
 
 After adding ldif files to `prepopulate`:
@@ -23,12 +21,11 @@ config_file = conf/ldap_dev.toml
 ; allow_sign_up = true
 ```
 
-Test groups & users
+## Groups & Users
 
 admins
   ldap-admin
   ldap-torkel
-  ldap-daniel
 backend
   ldap-carl
   ldap-torkel