LDAP configuration issue with Grafana Helm values.yaml

Was able to set up Grafana with local user access but running into issues when trying to configure LDAP groups/users access. Tried bunch of things and none of that worked as expected. The Grafana pod was deployed as part of kube-prometheus operator install, so tried passing following configuration in custom values.yaml to the install set up but no luck. The container has admin.ldap flag set to true in grafana.ini but don’t see LDAP configuration either in the secret or in /etc/grafana/ldap.toml or in the secret.
The /etc/grafana/ldap.toml has default LDAP settings and don’t see any custom values specified in values.yaml.

grafana:
enabled: true
namespaceOverride: ""
rbac:
  pspUseAppArmor: false
grafana.ini:
server:
  domain: sandboxgrmysite.com
  #root_url: "%(protocol)s://%(domain)s/"
  root_url: https://sandboxgrmysite.com/grafana/
  serve_from_sub_path: true
auth.ldap:
  enabled: true
  allow_sign_up: true
envFromSecret: "grafana-ldap-cred"
ldap:
 enabled: true
 existingSecret: ""
config: |-
verbose_logging = true

[[servers]]
host = "my.ldap.server.com"
port = 636
use_ssl = true
root_ca_cert = "/home/myid/CA_Cert.pem"
start_tls = false
ssl_skip_verify = false
bind_dn = "uid=ldapbind,ou=Users,dc=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(uid=%s)"
search_base_dns = ["dc=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
email = "mail"
 group_search_filter = "(&(objectClass=groupOfUniqueNames) 
(uniquemember=%s))"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["ou=groups,dc=Global,dc=com"]
## the %s in the search filter will be replaced with the attribute defined below
group_search_filter_user_attribute = "uid"

[[servers.group_mappings]]
group_dn = "cn=admin_ldap,ou=Users,dc=com"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

Any clue on what the issue is?

Thanks

Spent some time looking at Helm templates and other configuration to understand what was missing and able to make it work with below configuration for Grafana in custom-values.yaml created from the operator.

Pay special attention to the indentation since that has caused some issues when I was trying to copy n paste from Grafana chart’s values.yaml. Only thing left is to read the bind password from an existing secret or environment variable, tried few approaches but those haven’t worked.

grafana:
  enabled: true
  namespaceOverride: ""
  rbac:
	pspUseAppArmor: false
  grafana.ini:
	# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
	log:
	  mode: console
	  #level: debug
	  # to enable debug level for ldap calls only
	  #filters: ldap:debug
	
	server:
	  domain: sbgrafana.mysite.com
	  #root_url: "%(protocol)s://%(domain)s/"
	  root_url: https://sbgrafana.mysite.com/grafana/
	  serve_from_sub_path: true
	auth.ldap:
	  enabled: true
	  allow_sign_up: true
	  config_file: /etc/grafana/ldap.toml

  ldap:
	enabled: true
	# `existingSecret` is a reference to an existing secret containing the ldap configuration
	# for Grafana in a key `ldap-toml`.
	existingSecret: ""
	# `config` is the content of `ldap.toml` that will be stored in the created secret
	config: |-
	  verbose_logging = true

	  [[servers]]
	  host = "my.ldap.com"
	  # Default port is 389 or 636 if use_ssl = true
	  # port = 389
	  # use_ssl = false
	  port = 636
	  use_ssl = true
	  # CA cert is mapped as certs-configmap in extraConfigmapMounts section below -- path in Grafana container
	  root_ca_cert = "/etc/grafana/ssl/CACert.pem"
	  start_tls = false
	  ssl_skip_verify = false
	  bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
	  bind_password = ""
	  search_filter = "(uid=%s)"
	  
	  [servers.attributes]
	  name = "givenName"
	  surname = "sn"
	  username = "cn"
	  email = "mail"
	  ## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
	  group_search_filter = "(&(objectClass=groupOfUniqueNames)(uniquemember=%s))"
	  ## An array of the base DNs to search through for groups. Typically uses ou=groups
	  group_search_base_dns = ["uid=%s,ou=users,dc=myorg,dc=com"]
	  ## the %s in the search filter will be replaced with the attribute defined below
	  group_search_filter_user_attribute = "uid"

	  [[servers.group_mappings]]
	  group_dn = "cn=admins,dc=grafana,dc=org"
	  org_role = "Admin"

	  [[servers.group_mappings]]
	  group_dn = "cn=users,dc=grafana,dc=org"
	  org_role = "Editor"

	  [[servers.group_mappings]]
	  group_dn = "*"
	  org_role = "Viewer"

  extraConfigmapMounts:
	- name: certs-configmap
	  mountPath: /etc/grafana/ssl/
	  configMap: certs-configmap
	  readOnly: true

Steps for creating configmap referenced above for LDAP SSL/HTTPS communication. At least I couldn’t find clear information, so adding here for others.

kubectl -n monitoring create configmap certs-configmap --from-file=my-ca-cert.pem
1 Like