竹影清风阁在设置之前,必须弄懂ldap里面的几个名词
cn、ou、dc、dn(自行百度)
dn包含前三个,下面就是一个dn
(uid=mcc)cn=student,ou=chuanda,dc=chengdu,dc=sichuan,dc=china
作用等于 china/sichuan/chengdu/chuanda/mcc
就用ldap登录后的返回好了,看官一看便知!
[
{
DN: "uid=ming.xiao,ou=Users,dc=test,dc=cn",
FirstName: "xiao",
LastName: "ming",
Username: "ming.xiao@qq.com",
Email: "ming.xiao@qq.com",
MemberOf: {
"cn=confluence-users,ou=Groups,dc=test,dc=cn",
"cn=jira-software-users,ou=Groups,dc=test,dc=cn"
}
}
]1.启动一个grafana实例
docker run -i -p 13000:3000 grafana/grafana -d2.设置ldap配置文件
进入docker,编辑ldap配置文件
apt-get update
apt-get install vim
vim /etc/grafana/ldap.toml1.server.host、port修改为自己的ldap的地址
host = "ldap.mcc.cn"
port = 389
use_ssl = true
start_tls = true //这个之前false 会报错LDAP Result Code 200 "": EOF
ssl_skip_verify = true
#root_ca_cert = /path/to/certificate.crt //证书没设置2.设置读取的账户(需要可读权限)
注意这个
# Search user bind dn
bind_dn = "uid=readonly,ou=Users,dc=test,dc=cn" //这个找ldap负责人就可以拿到
# Search user bind password
bind_password = "test111"3.设置grafana登录账户 = ldap mail
search_filter这个非常重要,决定了grafana的账号是ldap的uid还是mail还是其他
//search_filter = "(uid=%s)" //uid登录 ming.xiao
search_filter = "(mail=%s)" //邮箱登录 ming.xiao@qq.com
search_base_dns = ["ou=Users,dc=test,dc=cn"] 4.设置[servers.attributes]
貌似这个没什么影响,对登录来说…
[servers.attributes]
name = "givenName"
surname = "sn"
username = "mail" //这个
member_of = "memberOf"
email = "mail" //这个5.设置ldap的组和grafana的org对应关系
注意ou=Groups,而登录用户的ou=Users
# 第一个组
[[servers.group_mappings]]
group_dn = "cn=confluence-users,ou=Groups,dc=test,dc=cn"
org_role = "Editor"
org_id = 3
# 第二个组
[[servers.group_mappings]]
group_dn = "cn=jira-software-users,ou=Groups,dc=test,dc=cn"
org_role = "Editor"
org_id = 4
[[servers.group_mappings]]
# 所有人都是该org的viewer
group_dn = "*"
org_role = "Viewer"
org_id = 2 ps:用户匹配上多个组则可以拥有多个组的多个权限
3.启用ldap认证
1.全局配置文件目录
whereis grafana
grafana: /etc/grafana /usr/share/grafana
cd /usr/share/grafana/conf/
vi defaults.ini2.修改配置
[auth.ldap]
enabled = true完了之后重启grafana
4.创建grafana org
使用admin admin登录,创建org
一定要注意orgId和上面设置的mapping的org_id对应!
参考配置
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true[[servers]]
host = "10.10.10.10"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = "cn=ldapadmin,cn=Users,dc=hi,dc=local"
bind_password = 'xxxxxx'
search_filter = "(cn=%s)"
search_base_dns = ["dc=hi,dc=local"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email = "email"
[[servers.group_mappings]]
group_dn = "cn=admins,dc=grafana,dc=org"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "cn=users,dc=grafana,dc=org"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
WEB架构
安全监控体系
集群架构
