LDAP Configuration Series three: Grafana integrated LDAP

LDAP Configuration Series Three: Introduction to Grafana integrated Ldapgrafana

Grafana is something like Kibana, a platform for real-time presentation of data from a variety of data sources, with this awesome look. Give an official Demo experience Address: play.grafana.org/d/000000012/grafana-play-home?orgid=1

A demo is available here.

Installation of Grafana

Grfana installation of the official reference: http://docs.grafana.org/installation/rpm/

[Root@vm_0_15_centos ~]#sudo Yum InstallHttps//s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-5.1.4-1.x86_64.rpm[Root@vm_0_15_centos ~]# rpm-ql Grafana |grep/etc/etc/Grafana/etc/init.d/grafana-Server/etc/sysconfig/grafana-Server[root@vm_0_15_centos~]# systemctl Start grafana-Server[root@vm_0_15_centos~]# systemctl Status grafana-Server[root@vm_0_15_centos~]# Firewall-cmd--permanent--add-port= the/Tcpsuccess[root@vm_0_15_centos~]# Firewall-cmd--Reload success# Add domain name Grafana.linuxpanda.tech # Web Access under grafana.linuxpanda.tech:3000

The main interface is as follows:

The default user name and password are admin.

LDAP user groups and user-created

If you do not have an LDAP service, you can refer to: www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_liunx_52_ldap.html

Here we use ldapadmin.exe this small software to connect to the LDAP service, add a Grafana ou inside the group, and then add 3 groups within the Grafana OU, corresponding to management, editing and previewing.

Create three user test01,test02,test03, set the password to Oracle and let it belong to three different groups for easy follow-up testing.

LDAP configuration file

Grafana LDAP Configuration official reference: http://docs.grafana.org/installation/ldap/

Grafana.ini Configuration

[Root@vm_0_15_centos ~]# cd/etc/grafana/[Root@vm_0_15_centos grafana]# lltotal --rw-r-----1Root Grafana13655Sep5  +: theGrafana.ini-rw-r-----1Root Grafana3468Sep5  +: theLDAP.TOMLDRWXR-xr-x4Root Grafana4096Sep5  +: theProvisioning[root@vm_0_15_centos grafana]#CPldap.toml Ldap.toml.default [Root@vm_0_15_centos grafana]#CPGrafana.ini Grafana.ini.default
[Root@vm_0_15_centos grafana]# chown grafana.grafana grafana.ini ldap.toml [Root@vm_0_15_centos grafana]# vim grafana.ini# This file modification 2, log is not necessary, but the LDAP debugging is troublesome, it is recommended to turn on debug first, and so on after configuring LDAP, in the change back to the info level. [Auth.ldap] enabled = True[log]  level= Debug

You need to do a few queries before configuring all users

[Root@vm_0_15_centos ~]# Ldapsearch-lll-WOracle-x-H LDAP:// Ldap.linuxpanda.tech -D "Cn=admin,dc=linuxpanda,dc=tech"-B "ou=people,dc=linuxpanda,dc= Tech"Dn:ou=people,dc=linuxpanda,dc=TechobjectClass:organizationalUnitou:userou:peopledn:uid=test01,ou=people,dc=linuxpanda,dc=TechobjectClass:posixAccountobjectClass:topobjectClass:inetOrgPersongidNumber:0givenName:test01sn:test01displayName:: 5rwl6k+vmq== uid:test01homedirectory:/home/Test01loginshell:/bin/BashMail:test01@linuxpanda.techcn:: 5rwl6k+vmq==Uidnumber:55545UserPassword:: E1niqx1ree5rdgtvuhhiek52mm9pqmqvykc2njnsqkk9dn:uid=test02,ou=people,dc=linuxpanda,dc=TechobjectClass:posixAccountobjectClass:topobjectClass:inetOrgPersongidNumber:0givenName:test02sn:test02displayName:: 5rwl6k+vmg==uid:test02homedirectory:/home/Test02loginshell:/bin/BASHMAIL:TEST02@LINUXPANDA.TECHCN:: 5rwl6k+vmg==Uidnumber:50880UserPassword:: E1niqx1ree5rdgtvuhhiek52mm9pqmqvykc2njnsqkk9dn:uid=test03,ou=people,dc=linuxpanda,dc=TechobjectClass:posixAccountobjectClass:topobjectClass:inetOrgPersongidNumber:0givenName:test03sn:test03displayName:: 5rwl6k+vmw==uid:test03homedirectory:/home/Test03loginshell:/bin/BASHMAIL:TEST03@LINUXPANDA.TECHCN:: 5rwl6k+vmw==Uidnumber:46507UserPassword:: E1niqx1ree5rdgtvuhhiek52mm9pqmqvykc2njnsqkk9

Querying specific users

[Root@vm_0_15_centos ~]# Ldapsearch-lll-WOracle-x-H LDAP://ldap.linuxpanda.tech-d "Cn=admin,dc=linuxpanda,dc=tech"-B "Ou=people,dc=linuxpanda,dc=tech" "(uid=test01)" Dn:uid=test01,ou=people,dc=linuxpanda,dc=TechobjectClass:posixAccountobjectClass:topobjectClass:inetOrgPersongidNumber:0givenName:test01sn:test01displayName:: 5rwl6k+vmq== uid:test01homedirectory:/home/Test01loginshell:/bin/BashMail:test01@linuxpanda.techcn:: 5rwl6k+vmq==Uidnumber:55545UserPassword:: E1niqx1ree5rdgtvuhhiek52mm9pqmqvykc2njnsqkk9

Querying all Groups

[Root@vm_0_15_centos grafana]# Ldapsearch-lll-WOracle-x-H LDAP://ldap.linuxpanda.tech-d "Cn=admin,dc=linuxpanda,dc=tech"-B "Ou=grafana,ou=group,dc=linuxpanda,dc=tech"Dn:ou=grafana,ou=group,dc=linuxpanda,dc=TECHOBJECTCLASS:TOPOBJECTCLASS:ORGANIZATIONALUNITOU:GRAFANADN:CN=grafana-admins,ou=grafana,ou=group,dc=linuxpanda,dc=TechobjectClass:posixGroupobjectClass:topcn:grafana-Adminsgidnumber:49004MEMBERUID:TEST01DN:CN=grafana-editors,ou=grafana,ou=group,dc=linuxpanda,dc=TechobjectClass:posixGroupobjectClass:topgidNumber:34366Cn:grafana-editorsmemberuid:test02DN:CN =grafana-viewers,ou=grafana,ou=group,dc=linuxpanda,dc= TechobjectClass:posixGroupobjectClass:topCn:grafana - Viewersgidnumber:25527memberuid:test03

Query the group where the user is located

[Root@vm_0_15_centos grafana]# ldapsearch  -lll-w oracle   -x-h LDAP://  Ldap.linuxpanda.tech-d "Cn=admin,dc=linuxpanda,dc=tech"-B "Ou=grafana,ou=group,dc=linuxpanda,dc=tech"   "( & (Objectclass=posixgroup) (memberuid=test03)) "Dn:cn=grafana-viewers,ou=grafana,ou=group,dc=linuxpanda, dc=techobjectClass:posixGroupobjectClass:topcn:grafana-viewers25527  memberuid:test03

Modify the Ldap.toml file

[Root@vm_0_15_centos grafana]# vim Ldap.toml[root@vm_0_15_centos grafana]#CatLdap.toml[[servers]]host="Ldap.linuxpanda.tech"Port=389Use_ssl=falseStart_tls=falsessl_skip_verify=falsebind_dn="Cn=admin,dc=linuxpanda,dc=tech"Bind_password='Oracle'Search_filter="(uid=%s)"Search_base_dns= ["Ou=people,dc=linuxpanda,dc=tech"]group_search_filter="(& (Objectclass=posixgroup) (memberuid=%s))"Group_search_base_dns= ["Ou=grafana,ou=group,dc=linuxpanda,dc=tech"][servers.attributes]name="GivenName"Surname="SN"username="UID"#member_of="memberOf"member_of="cn"Email="Mail"[[Servers.group_mappings]]group_dn="Grafana-admins"Org_role="Admin"[[Servers.group_mappings]]group_dn="grafana-editors"Org_role="Editor"[[Servers.group_mappings]]group_dn="grafana-viewers"#group_dn="*"Org_role="Viewer"

Main Configuration Description

Host: Specify your LDAP server, you can specify more than one, you need a delimiter.

Port: The ports on which your LDAP server listens.

BIND_DN: You need an administrator account for a specific OU, I use a domain manager here.

Bind_password: The password for the above account.

search_filter: User-searched filter expression, with Search_base_dns.

Search_base_dns: The scope of user search, here in people this OU search all users, need to cooperate with Search_filter to complete the user's filtering.

Group_search_filter: Filter expression for group search, with Group_search_base_dns.

Group_search_base_dns: Specifies the scope of the group search, and we have set up 3 groups within the Grafana OU.

Servers.attributes: This is primarily the user gets a specific extract to the user entry has a specific field of extraction, username from the query user information to take a specific field value as the Grafana user name,

Member_of represents, after obtaining a specific group based on Group_search_base_dns and Group_search_filter, take that field as the group name. The resulting results need to be consistent with the mappings below.

Email represents a specific user's mail field as a Grafana user's email message.

Servers_group_mappings: This is a mapping relationship that defines the LDAP user group and the Grafana role group, above Member_of, Group_search_base_dns, and Group_search_filter These three conditions can be obtained to the LDAP group name, here and three conditions to obtain the same.

A clear picture

Modify the restart service to complete the test.

Final result diagram

Modify the log level for Grafana to info.

Debug to determine if the LDAP service is

38958.87. 98.84 '^]'.

Make sure the LDAP configuration is turned on

Check that the Grafana.ini file confirms that Ldap=true is enabled, and the default is to remove the comment or false.

Follow log information

The main logs are 2, one is the Grafana log, and the other is the LDAP log.

[Root@vm_0_15_centos grafana]# Journalctl-F Sep to  A:Wuyi: -Vm_0_15_centos grafana-server[12052]: t=2018- the-05T22:Wuyi: -+0800Lvl=dbug msg="Ldap User found"Logger=ldapInfo="(*login. Ldapuserinfo) (0xc420030fc0) ({\ n DN: (String) (len=42) \ "Uid=test01,ou=people,dc=linuxpanda,dc=tech\", \ n FirstName: ( String) (len=6) \ "Test01\", \ n LastName: (String) (len=6) \ "Test01\", \ n Username: (String) (len=22) \ " Test01@linuxpanda.tech\ ", \ n Email: (String) (len=22) \" Test01@linuxpanda.tech\ ", \ n MemberOf: ([]string) <nil>\n }) \ n"Sep to  A:Wuyi: -Vm_0_15_centos grafana-server[12052]: t=2018- the-05T22:Wuyi: -+0800Lvl=dbug msg="Updating last User_seen_at"Logger=context userid=2Orgid=1 uname=test01@linuxpanda.tech user_id=2

Tail

Reference

Grafana Official Help document:/HTTP