I am trying to match ldap roles to grafana roles. Had success with groups, but now am completely stuck. Any help will be highly appreciated.
Group mapping Ok
with ldapsearch I got the following answer for groups
# corpadm, Group, sector.corp
dn: cn=corpadm,ou=Group,dc=sector,dc=corp
cn: corpadm
memberUid: danielt
I managed to get this group into grafana with the following parameters:
[[servers]]
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_filter_user_attribute = "uid"
group_search_base_dns = ["ou=Group,dc=sector,dc=corp"]
[servers.attributes]
member_of = "memberUid"
[[servers.group_mappings]]
group_dn = "corpadm"
Role Mapping NOK, login denied
Now, this was rather a test resp. an intermediate step, as we use roles to set permissions other than on the linux shell. Therefore I need to map the ldap roles to Grafana roles.
ldap:
#OfficeLinkAdmin, CORPRoles, sector.corp
dn: cn=OfficeLinkAdmin,ou=CORPRoles,dc=sector,dc=corp
objectClass: top
objectClass: organizationalRole
cn: OfficeLinkAdmin
roleOccupant: uid=danielt,ou=People,dc=sector,dc=corp`
I tried to match in the following way (and many others with identical outcome):
ldap.toml:
group_search_filter = “(&(objectClass=organizationalRole)(roleOccupant=%s))”
group_search_filter_user_attribute = “uid”
group_search_base_dns = [“ou=CORPRoles,dc=sector,dc=psi”]
[servers.attributes]
# name = "givenName"
surname = "sn"
username = "uid"
member_of = "roleOccupant"
email = "cn"
[[servers.group_mappings]]
group_dn = "OfficeLinkAdmin"
grafana.log
DBUG[02-23|08:59:18] LDAP SearchRequest logger=ldap searchRequest="&{BaseDN:ou=People,dc=sector,dc=corp Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(|(cn=dtollkoe)) Attributes:[uid sn cn roleOccupant uid] Controls:[]}\n" t=2021-02-23T08:59:18+0100 lvl=dbug msg="LDAP SearchRequest" logger=ldap searchRequest="&{BaseDN:ou=People,dc=sector,dc=corp Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(|(cn=danielt)) Attributes:[uid sn cn roleOccupant uid] Controls:[]}\n" INFO[02-23|08:59:18] Searching for user's groups logger=ldap filter="(&(objectClass=organizationalRole)(roleOccupant=danielt))" t=2021-02-23T08:59:18+0100 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=organizationalRole)(roleOccupant=danielt))" DBUG[02-23|08:59:18] LDAP users found logger=ldap users="([]*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc000154090)({\n OAuthToken: (*oauth2.Token)(<nil>),\n AuthModule: (string) (len=4) \"ldap\",\n AuthId: (string) (len=35) \"uid=danielt,ou=People,dc=sector,dc=corp\",\n UserId: (int64) 0,\n Email: (string) (len=8) \"danielt\",\n Login: (string) (len=8) \"danielt\",\n Name: (string) (len=11) \"DanielsLastName\",\n Groups: ([]string) <nil>,\n OrgRoles: (map[int64]models.RoleType) {\n },\n IsGrafanaAdmin: (*bool)(<nil>),\n IsDisabled: (bool) true\n })\n}\n" t=2021-02-23T08:59:18+0100 lvl=dbug msg="LDAP users found" logger=ldap users="([]*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc000154090)({\n OAuthToken: (*oauth2.Token)(<nil>),\n AuthModule: (string) (len=4) \"ldap\",\n AuthId: (string) (len=35) \"uid=danielt,ou=People,dc=sector,dc=corp\",\n UserId: (int64) 0,\n Email: (string) (len=8) \"danielt\",\n Login: (string) (len=8) \"danielt\",\n Name: (string) (len=11) \"DanielsLastName\",\n Groups: ([]string) <nil>,\n OrgRoles: (map[int64]models.RoleType) {\n },\n IsGrafanaAdmin: (*bool)(<nil>),\n IsDisabled: (bool) true\n })\n}\n" EROR[02-23|08:59:18] User does not belong in any of the specified LDAP groups logger=ldap username=danielt groups=[] t=2021-02-23T08:59:18+0100 lvl=eror msg="User does not belong in any of the specified LDAP groups" logger=ldap username=danielt groups=[]