diff --git a/Dockerfile b/Dockerfile index 537aaca840c..fd305d8af3e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,6 +35,8 @@ RUN ./node_modules/.bin/grunt build # Final container FROM debian:stretch-slim +LABEL maintainer="Grafana team " + ARG GF_UID="472" ARG GF_GID="472" diff --git a/devenv/docker/blocks/multiple-openldap/admins-ldap-server/Dockerfile b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/Dockerfile new file mode 100644 index 00000000000..979d01c7dad --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/Dockerfile @@ -0,0 +1,30 @@ +# Fork of https://github.com/dinkel/docker-openldap + +FROM debian:jessie + +LABEL maintainer="Grafana team " + +ENV OPENLDAP_VERSION 2.4.40 + +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + slapd=${OPENLDAP_VERSION}* \ + ldap-utils && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +RUN mv /etc/ldap /etc/ldap.dist + +EXPOSE 389 + +VOLUME ["/etc/ldap", "/var/lib/ldap"] + +COPY modules/ /etc/ldap.dist/modules +COPY prepopulate/ /etc/ldap.dist/prepopulate + +COPY ../entrypoint.sh /entrypoint.sh +COPY ../prepopulate.sh /prepopulate.sh + +ENTRYPOINT ["/entrypoint.sh"] + +CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"] diff --git a/devenv/docker/blocks/multiple-openldap/admins-ldap-server/modules/memberof.ldif b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/modules/memberof.ldif new file mode 100644 index 00000000000..fd9cce957c3 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/modules/memberof.ldif @@ -0,0 +1,33 @@ +dn: cn=module,cn=config +cn: module +objectClass: olcModuleList +objectClass: top +olcModulePath: /usr/lib/ldap +olcModuleLoad: memberof.la + +dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcMemberOf +objectClass: olcOverlayConfig +objectClass: top +olcOverlay: memberof +olcMemberOfDangling: ignore +olcMemberOfRefInt: TRUE +olcMemberOfGroupOC: groupOfNames +olcMemberOfMemberAD: member +olcMemberOfMemberOfAD: memberOf + +dn: cn=module,cn=config +cn: module +objectClass: olcModuleList +objectClass: top +olcModulePath: /usr/lib/ldap +olcModuleLoad: refint.la + +dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +objectClass: top +olcOverlay: {1}refint +olcRefintAttribute: memberof member manager owner diff --git a/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/1_units.ldif b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/1_units.ldif new file mode 100644 index 00000000000..22e06303688 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/1_units.ldif @@ -0,0 +1,9 @@ +dn: ou=groups,dc=grafana,dc=org +ou: Groups +objectclass: top +objectclass: organizationalUnit + +dn: ou=users,dc=grafana,dc=org +ou: Users +objectclass: top +objectclass: organizationalUnit diff --git a/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/2_users.ldif b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/2_users.ldif new file mode 100644 index 00000000000..1ee592dc7a0 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/2_users.ldif @@ -0,0 +1,20 @@ +# ldap-admin +dn: cn=ldap-admin,ou=users,dc=grafana,dc=org +mail: ldap-admin@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-admin +cn: ldap-admin + +dn: cn=ldap-torkel,ou=users,dc=grafana,dc=org +mail: ldap-torkel@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-torkel +cn: ldap-torkel diff --git a/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/3_groups.ldif b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/3_groups.ldif new file mode 100644 index 00000000000..f7285f8a9c3 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/admins-ldap-server/prepopulate/3_groups.ldif @@ -0,0 +1,6 @@ +dn: cn=admins,ou=groups,dc=grafana,dc=org +cn: admins +objectClass: groupOfNames +objectClass: top +member: cn=ldap-admin,ou=users,dc=grafana,dc=org +member: cn=ldap-torkel,ou=users,dc=grafana,dc=org diff --git a/devenv/docker/blocks/multiple-openldap/docker-compose.yaml b/devenv/docker/blocks/multiple-openldap/docker-compose.yaml new file mode 100644 index 00000000000..74f5d29a90f --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/docker-compose.yaml @@ -0,0 +1,19 @@ + admins-openldap: + build: docker/blocks/multiple-openldap/admins-ldap-server + environment: + SLAPD_PASSWORD: grafana + SLAPD_DOMAIN: grafana.org + SLAPD_ADDITIONAL_MODULES: memberof + ports: + - "389:389" + + openldap: + build: docker/blocks/multiple-openldap/ldap-server + environment: + SLAPD_PASSWORD: grafana + SLAPD_DOMAIN: grafana.org + SLAPD_ADDITIONAL_MODULES: memberof + ports: + - "388:389" + + diff --git a/devenv/docker/blocks/multiple-openldap/entrypoint.sh b/devenv/docker/blocks/multiple-openldap/entrypoint.sh new file mode 100755 index 00000000000..d202ed14b31 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/entrypoint.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +# When not limiting the open file descritors limit, the memory consumption of +# slapd is absurdly high. See https://github.com/docker/docker/issues/8231 +ulimit -n 8192 + + +set -e + +chown -R openldap:openldap /var/lib/ldap/ + +if [[ ! -d /etc/ldap/slapd.d ]]; then + + if [[ -z "$SLAPD_PASSWORD" ]]; then + echo -n >&2 "Error: Container not configured and SLAPD_PASSWORD not set. " + echo >&2 "Did you forget to add -e SLAPD_PASSWORD=... ?" + exit 1 + fi + + if [[ -z "$SLAPD_DOMAIN" ]]; then + echo -n >&2 "Error: Container not configured and SLAPD_DOMAIN not set. " + echo >&2 "Did you forget to add -e SLAPD_DOMAIN=... ?" + exit 1 + fi + + SLAPD_ORGANIZATION="${SLAPD_ORGANIZATION:-${SLAPD_DOMAIN}}" + + cp -a /etc/ldap.dist/* /etc/ldap + + cat <<-EOF | debconf-set-selections + slapd slapd/no_configuration boolean false + slapd slapd/password1 password $SLAPD_PASSWORD + slapd slapd/password2 password $SLAPD_PASSWORD + slapd shared/organization string $SLAPD_ORGANIZATION + slapd slapd/domain string $SLAPD_DOMAIN + slapd slapd/backend select HDB + slapd slapd/allow_ldap_v2 boolean false + slapd slapd/purge_database boolean false + slapd slapd/move_old_database boolean true +EOF + + dpkg-reconfigure -f noninteractive slapd >/dev/null 2>&1 + + dc_string="" + + IFS="."; declare -a dc_parts=($SLAPD_DOMAIN) + + for dc_part in "${dc_parts[@]}"; do + dc_string="$dc_string,dc=$dc_part" + done + + base_string="BASE ${dc_string:1}" + + sed -i "s/^#BASE.*/${base_string}/g" /etc/ldap/ldap.conf + + if [[ -n "$SLAPD_CONFIG_PASSWORD" ]]; then + password_hash=`slappasswd -s "${SLAPD_CONFIG_PASSWORD}"` + + sed_safe_password_hash=${password_hash//\//\\\/} + + slapcat -n0 -F /etc/ldap/slapd.d -l /tmp/config.ldif + sed -i "s/\(olcRootDN: cn=admin,cn=config\)/\1\nolcRootPW: ${sed_safe_password_hash}/g" /tmp/config.ldif + rm -rf /etc/ldap/slapd.d/* + slapadd -n0 -F /etc/ldap/slapd.d -l /tmp/config.ldif >/dev/null 2>&1 + fi + + if [[ -n "$SLAPD_ADDITIONAL_SCHEMAS" ]]; then + IFS=","; declare -a schemas=($SLAPD_ADDITIONAL_SCHEMAS); unset IFS + + for schema in "${schemas[@]}"; do + slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/schema/${schema}.ldif" >/dev/null 2>&1 + done + fi + + if [[ -n "$SLAPD_ADDITIONAL_MODULES" ]]; then + IFS=","; declare -a modules=($SLAPD_ADDITIONAL_MODULES); unset IFS + + for module in "${modules[@]}"; do + echo "Adding module ${module}" + slapadd -n0 -F /etc/ldap/slapd.d -l "/etc/ldap/modules/${module}.ldif" >/dev/null 2>&1 + done + fi + + # This needs to run in background + # Will prepopulate entries after ldap daemon has started + ./prepopulate.sh & + + chown -R openldap:openldap /etc/ldap/slapd.d/ /var/lib/ldap/ /var/run/slapd/ +else + slapd_configs_in_env=`env | grep 'SLAPD_'` + + if [ -n "${slapd_configs_in_env:+x}" ]; then + echo "Info: Container already configured, therefore ignoring SLAPD_xxx environment variables" + fi +fi + +exec "$@" + diff --git a/devenv/docker/blocks/multiple-openldap/ldap-server/Dockerfile b/devenv/docker/blocks/multiple-openldap/ldap-server/Dockerfile new file mode 100644 index 00000000000..979d01c7dad --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/ldap-server/Dockerfile @@ -0,0 +1,30 @@ +# Fork of https://github.com/dinkel/docker-openldap + +FROM debian:jessie + +LABEL maintainer="Grafana team " + +ENV OPENLDAP_VERSION 2.4.40 + +RUN apt-get update && \ + DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ + slapd=${OPENLDAP_VERSION}* \ + ldap-utils && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +RUN mv /etc/ldap /etc/ldap.dist + +EXPOSE 389 + +VOLUME ["/etc/ldap", "/var/lib/ldap"] + +COPY modules/ /etc/ldap.dist/modules +COPY prepopulate/ /etc/ldap.dist/prepopulate + +COPY ../entrypoint.sh /entrypoint.sh +COPY ../prepopulate.sh /prepopulate.sh + +ENTRYPOINT ["/entrypoint.sh"] + +CMD ["slapd", "-d", "32768", "-u", "openldap", "-g", "openldap"] diff --git a/devenv/docker/blocks/multiple-openldap/ldap-server/modules/memberof.ldif b/devenv/docker/blocks/multiple-openldap/ldap-server/modules/memberof.ldif new file mode 100644 index 00000000000..fd9cce957c3 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/ldap-server/modules/memberof.ldif @@ -0,0 +1,33 @@ +dn: cn=module,cn=config +cn: module +objectClass: olcModuleList +objectClass: top +olcModulePath: /usr/lib/ldap +olcModuleLoad: memberof.la + +dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcMemberOf +objectClass: olcOverlayConfig +objectClass: top +olcOverlay: memberof +olcMemberOfDangling: ignore +olcMemberOfRefInt: TRUE +olcMemberOfGroupOC: groupOfNames +olcMemberOfMemberAD: member +olcMemberOfMemberOfAD: memberOf + +dn: cn=module,cn=config +cn: module +objectClass: olcModuleList +objectClass: top +olcModulePath: /usr/lib/ldap +olcModuleLoad: refint.la + +dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config +objectClass: olcConfig +objectClass: olcOverlayConfig +objectClass: olcRefintConfig +objectClass: top +olcOverlay: {1}refint +olcRefintAttribute: memberof member manager owner diff --git a/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/1_units.ldif b/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/1_units.ldif new file mode 100644 index 00000000000..22e06303688 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/1_units.ldif @@ -0,0 +1,9 @@ +dn: ou=groups,dc=grafana,dc=org +ou: Groups +objectclass: top +objectclass: organizationalUnit + +dn: ou=users,dc=grafana,dc=org +ou: Users +objectclass: top +objectclass: organizationalUnit diff --git a/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/2_users.ldif b/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/2_users.ldif new file mode 100644 index 00000000000..8e1dfbf603a --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/2_users.ldif @@ -0,0 +1,59 @@ +dn: cn=ldap-editor,ou=users,dc=grafana,dc=org +mail: ldap-editor@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-editor +cn: ldap-editor + +dn: cn=ldap-viewer,ou=users,dc=grafana,dc=org +mail: ldap-viewer@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-viewer +cn: ldap-viewer + +dn: cn=ldap-carl,ou=users,dc=grafana,dc=org +mail: ldap-carl@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-carl +cn: ldap-carl + +dn: cn=ldap-daniel,ou=users,dc=grafana,dc=org +mail: ldap-daniel@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-daniel +cn: ldap-daniel + +dn: cn=ldap-leo,ou=users,dc=grafana,dc=org +mail: ldap-leo@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-leo +cn: ldap-leo + +dn: cn=ldap-tobias,ou=users,dc=grafana,dc=org +mail: ldap-tobias@grafana.com +userPassword: grafana +objectClass: person +objectClass: top +objectClass: inetOrgPerson +objectClass: organizationalPerson +sn: ldap-tobias +cn: ldap-tobias diff --git a/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/3_groups.ldif b/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/3_groups.ldif new file mode 100644 index 00000000000..8d55eaaa707 --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/ldap-server/prepopulate/3_groups.ldif @@ -0,0 +1,23 @@ +dn: cn=admins,ou=groups,dc=grafana,dc=org +cn: admins +objectClass: groupOfNames +objectClass: top + +dn: cn=editors,ou=groups,dc=grafana,dc=org +cn: editors +objectClass: groupOfNames +member: cn=ldap-editor,ou=users,dc=grafana,dc=org + +dn: cn=backend,ou=groups,dc=grafana,dc=org +cn: backend +objectClass: groupOfNames +member: cn=ldap-carl,ou=users,dc=grafana,dc=org +member: cn=ldap-leo,ou=users,dc=grafana,dc=org +member: cn=ldap-torkel,ou=users,dc=grafana,dc=org + +dn: cn=frontend,ou=groups,dc=grafana,dc=org +cn: frontend +objectClass: groupOfNames +member: cn=ldap-torkel,ou=users,dc=grafana,dc=org +member: cn=ldap-daniel,ou=users,dc=grafana,dc=org +member: cn=ldap-leo,ou=users,dc=grafana,dc=org diff --git a/devenv/docker/blocks/multiple-openldap/ldap_dev.toml b/devenv/docker/blocks/multiple-openldap/ldap_dev.toml new file mode 100644 index 00000000000..c4c2516694f --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/ldap_dev.toml @@ -0,0 +1,59 @@ +# To troubleshoot and get more log info enable ldap debug logging in grafana.ini +# [log] +# filters = ldap:debug + +# For the verbose comments options see "openldap" env block + +# --- First LDAP Server (only admins) --- + +[[servers]] +host = "127.0.0.1" +port = 389 +use_ssl = false +start_tls = false +ssl_skip_verify = false +bind_dn = "cn=admin,dc=grafana,dc=org" +bind_password = 'grafana' +search_filter = "(cn=%s)" +search_base_dns = ["ou=users,dc=grafana,dc=org"] + +[servers.attributes] +name = "givenName" +surname = "sn" +username = "cn" +member_of = "memberOf" +email = "email" + +[[servers.group_mappings]] +group_dn = "cn=admins,ou=groups,dc=grafana,dc=org" +org_role = "Admin" +grafana_admin = true + +# --- Second LDAP Server (rest of the users) --- + +[[servers]] +host = "127.0.0.1" +port = 388 +use_ssl = false +start_tls = false +ssl_skip_verify = false + +bind_dn = "cn=admin,dc=grafana,dc=org" +bind_password = 'grafana' +search_filter = "(cn=%s)" +search_base_dns = ["ou=users,dc=grafana,dc=org"] + +[servers.attributes] +name = "givenName" +surname = "sn" +username = "cn" +member_of = "memberOf" +email = "email" + +[[servers.group_mappings]] +group_dn = "cn=editors,ou=groups,dc=grafana,dc=org" +org_role = "Editor" + +[[servers.group_mappings]] +group_dn = "*" +org_role = "Viewer" diff --git a/devenv/docker/blocks/multiple-openldap/notes.md b/devenv/docker/blocks/multiple-openldap/notes.md new file mode 100644 index 00000000000..1fcbfa013db --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/notes.md @@ -0,0 +1,38 @@ +# Notes on Multiple OpenLdap Docker Block + +This is very similar to openldap docker block, but it creates multiple ldap servers instead of one. + +Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database. + +"admins-ldap-server" block contains admin group and admin users. The "ldap-server" block has all the rest of the users. See below for the full list of users. + +This blocks are here to help with testing multiple LDAP servers, for any other LDAP related development and testing "openldap" block should be used. + +## Enabling LDAP in Grafana + +Copy the ldap_dev.toml file in this folder into your `conf` folder (it is gitignored already). To enable it in the .ini file to get Grafana to use this block: + +```ini +[auth.ldap] +enabled = true +config_file = conf/ldap_dev.toml +; allow_sign_up = true +``` + +## Groups & Users + +admins + ldap-admin + ldap-torkel +backend + ldap-carl + ldap-torkel + ldap-leo +frontend + ldap-torkel + ldap-tobias + ldap-daniel +editors + ldap-editor +no groups + ldap-viewer diff --git a/devenv/docker/blocks/multiple-openldap/prepopulate.sh b/devenv/docker/blocks/multiple-openldap/prepopulate.sh new file mode 100755 index 00000000000..aa11f8aba4f --- /dev/null +++ b/devenv/docker/blocks/multiple-openldap/prepopulate.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +echo "Pre-populating ldap entries, first waiting for ldap to start" + +sleep 3 + +adminUserDn="cn=admin,dc=grafana,dc=org" +adminPassword="grafana" + +for file in `ls /etc/ldap/prepopulate/*.ldif`; do + ldapadd -x -D $adminUserDn -w $adminPassword -f "$file" +done + + diff --git a/devenv/docker/blocks/openldap/Dockerfile b/devenv/docker/blocks/openldap/Dockerfile index 76172e133a4..b0d23b9e0c9 100644 --- a/devenv/docker/blocks/openldap/Dockerfile +++ b/devenv/docker/blocks/openldap/Dockerfile @@ -2,7 +2,7 @@ FROM debian:jessie -LABEL maintainer="Christian Luginbühl " +LABEL maintainer="Grafana team " ENV OPENLDAP_VERSION 2.4.40 diff --git a/devenv/docker/blocks/openldap/notes.md b/devenv/docker/blocks/openldap/notes.md index fb413085970..a74c1427901 100644 --- a/devenv/docker/blocks/openldap/notes.md +++ b/devenv/docker/blocks/openldap/notes.md @@ -2,8 +2,6 @@ Any ldif files added to the prepopulate subdirectory will be automatically imported into the OpenLdap database. -The ldif files add eight users, `ldap-admin`, `ldap-editor`, `ldap-viewer`, `ldap-carl`, `ldap-daniel`, `ldap-leo`, `ldap-tobias` and `ldap-torkel`. Two groups, `admins` and `users`, are added that correspond with the group mappings in the default conf/ldap.toml. `ldap-admin` is a member of `admins` and `ldap-editor` is a member of `users`. - Note that users that are added here need to specify a `memberOf` attribute manually as well as the `member` attribute for the group. The `memberOf` module usually does this automatically (if you add a group in Apache Directory Studio for example) but this does not work in the entrypoint script as it uses the `slapadd` command to add entries before the server has started and before the `memberOf` module is loaded. After adding ldif files to `prepopulate`: @@ -23,12 +21,11 @@ config_file = conf/ldap_dev.toml ; allow_sign_up = true ``` -Test groups & users +## Groups & Users admins ldap-admin ldap-torkel - ldap-daniel backend ldap-carl ldap-torkel