So the challenge.
i have 2 windows domains 1 on prem that hold all the local user accounts etc, and a 2nd domain in the cloud thats user to grant access to tools in the cloud, via the use of Domain Local Groups. users from the local domain are added to the domain groups in the cloud domain. this all works fine until i want to role map users in Grafana. i dont even know if its possible to authenticated a user from another domain using the ldap bind from the trusted domain. i have added a copy of the test rig i have to show what i have tried so far. any help or ideas would be gratefully received.
host = “192.168.56.101”
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = “grafana@domain1.int”
bind_password = ‘xxxxxxxx’
search_filter = “(sAMAccountName=%s)”
search_base_dns = [“dc=domain1,dc=int”]
group_search_filter = “(member:1.2.840.113556.1.4.1941:=%s)”
#group_search_filter = “(member:1.2.840.113556.1.4.1941:=CN=%s,[user container/OU])”
#group_search_filter = “(|(member:1.2.840.113556.1.4.1941:=CN=%s,[CN=Users,DC=Domain1,DC=int])(member:1.2.840.113556.1.4.1941:=CN=%s,[CN=Users,DC=Domain2,DC=int]))”
group_search_filter_user_attribute = “distinguishedName”
#group_search_filter_user_attribute = “cn”
group_search_base_dns = [“DC=domain1,DC=int”]
[servers.attributes]
name = “givenName”
surname = “sn”
username = “cn”
member_of = “memberOf”
email = “mail”
[[servers.group_mappings]]
group_dn = “CN=grafana-admin,CN=Users,DC=Domain1,DC=int”
org_role = “Admin”
[[servers.group_mappings]]
group_dn = “CN=grafana-editor,CN=Users,DC=Domain1,DC=int”
org_role = “Editor”
[[servers.group_mappings]]
group_dn = “CN=grafana-viewer,CN=Users,DC=Domain1,DC=int”
org_role = “Viewer”
[[servers.group_mappings]]
#group_dn = “*”
#org_role = “Viewer”
[[servers]]
host = “192.168.56.102”
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = “grafana@domain2.int”
bind_password = ‘xxxxxxxx’
search_filter = “(sAMAccountName=%s)”
search_base_dns = [“dc=domain2,dc=int”]
group_search_filter = “(member:1.2.840.113556.1.4.1941:=%s)”
group_search_filter_user_attribute = “distinguishedName”
#group_search_filter = “(|(member:1.2.840.113556.1.4.1941:=CN=%s,[CN=Users,DC=Domain1,DC=int])(member:1.2.840.113556.1.4.1941:=CN=%s,[CN=Users,DC=Domain2,DC=int]))”
#group_search_filter_user_attribute = “cn”
group_search_base_dns = [“DC=domain2,DC=int”]
[servers.attributes]
name = “givenName”
surname = “sn”
username = “cn”
member_of = “memberOf”
email = “mail”
[[servers.group_mappings]]
group_dn = “CN=grafana-admin,CN=Users,DC=Domain2,DC=int”
org_role = “Admin”
[[servers.group_mappings]]
group_dn = “CN=grafana-editor,CN=Users,DC=Domain1,DC=int”
org_role = “Editor”
[[servers.group_mappings]]
group_dn = “CN=grafana-viewer,CN=Users,DC=Domain1,DC=int”
org_role = “Viewer”
[[servers.group_mappings]]
#group_dn = “*”
#org_role = “Viewer”