ADVA LDAP Configuration

LDAP configuration in ADVA is today a manual task. Here is how it is performed.

Create a Windows service account

Grafana authenticate with AD / LDAP using credentials of an account that has to be created beforehand.

Create that user in your directory, and what you need is the DN for that user (and for other things as well, more on that later).

One way to get the Distinguished Name (DN) for an AD entity is to use ADSI edit that shoud be default on a 2008 installation for example.

 

Open ADSI Edit from the start menu (using the search field) and connect to your local server or your AD server if it’s not the local server.

ADSI Edit Window

ADSI Edit Window

Once connected you can browse to the user to use for Grafana authentication check and display its properties :

ADSI Properties

ADSI Properties

The « distinguishedName property is what needs to be copy-pasted into Grafana LDAP configuration file, keep that value handy

Edit Grafana configuration file

Edit /etc/grafana/grafana.ini and un-comment the following block :

############################## Auth LDAP ##########################
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml

Then edit the LDAP configuration file, and make sure the following values are accurate :

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "10.78.0.11"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false

# Search user bind dn
bind_dn = "CN=Service,CN=Users,DC=yann,DC=lab"
# Search user bind password
bind_password = 'MyPassword'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["dc=yann,dc=lab"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email = "email"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "CN=Domain Admins,CN=Users,DC=yann,DC=lab"
org_role = "Admin"
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "CN=Domain Users,CN=Users,DC=yann,DC=lab"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"

The following settings must match what you see in ADSI Edit :

The service account created for Grafana :

bind_dn = "CN=Service,CN=Users,DC=yann,DC=lab"

The Active Directory group containin the Grafana Admins

[[servers.group_mappings]]
group_dn = "CN=Domain Admins,CN=Users,DC=yann,DC=lab"
org_role = "Admin"

Restart Grafana-server

service grafana-server restart

Debugging

If you can’t login with a user that is part of the Admins group, you can enable debugging and see what is logged in /var/log/grafana/grafana.log.

This option goes into /etc/grafana/ldap.toml

verbose_logging = true