public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c47b921ef40c0c411e9bad2cac05eb6c540c0979
grafana/devenv/docker/blocks/auth/openldap/README.md
T
Mihai Doarna 37f198d5e8 LDAP: Add guide on how to configure LDAP with TLS (#91686) 
add guide on how to configure LDAP with TLS
2024-08-08 15:29:00 +03:00

2.5 KiB
Raw Blame History

OpenLDAP for MacOS Docker Block

This Docker block is an updated version from OpenLDAP block. This Docker block uses osixia/openldap image. The original Docker block was based of debian:jessie which is not available for Apple's ARM chip.

Deployment

First build and deploy the openldap container.

make devenv sources=auth/openldap

Exposed ports

The container will expose port 389 and 636.

Background services

The osixia/openldap container will update the database with any *.ldif file changes inside ./prepopulate and the ./modules folder. Remember to rebuild the devenv to apply any changes.

Grafana configuration changes

The following changes are needed at Grafana's configuration file.

[auth.ldap]
enabled = true
config_file = conf/ldap.toml

The default configuration between Grafana and the OpenLDAP container is configured at ../../../../../conf/ldap.toml.

Available users and groups

  • admins
    • ldap-admin
    • ldap-torkel
  • backend
    • ldap-carl
    • ldap-torkel
    • ldap-leo
  • frontend
    • ldap-torkel
    • ldap-tobias
    • ldap-daniel
  • editors
    • ldap-editors
  • no groups
    • ldap-viewer

Groups & Users (POSIX)

  • admins
    • ldap-posix-admin
  • no groups
    • ldap-posix

Configure LDAP with TLS

After the openldap container has been deployed, you have to copy the CA from the docker container:

# get the container ID
docker ps

docker cp CONTAINER-ID:"/container/service/:ssl-tools/assets/default-ca/default-ca.pem" devenv/docker/blocks/auth/openldap/certs

To configure TLS you need the following lines in the .toml file under the [[servers]] section:

tls_ciphers = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
min_tls_version = "TLS1.2"
ssl_skip_verify = true
root_ca_cert = "devenv/docker/blocks/auth/openldap/certs/default-ca.pem"
client_cert = "devenv/docker/blocks/auth/openldap/certs/ldap.crt"
client_key = "devenv/docker/blocks/auth/openldap/certs/ldap.key"

For simplicity, the same private key is shared between the server and the client. To generate your own private keys and certificates please follow this guide: https://enlook.wordpress.com/2015/09/30/howto-generate-certificate-for-openldap-and-using-it-for-certificate-authentication/.

  • To connect over LDAPS include this config:
port = 636
use_ssl = true
start_tls = false
  • To connect with STARTTLS use this config:
port = 389
use_ssl = true
start_tls = true
Reference in New Issue View Git Blame Copy Permalink