在设置之前,必须弄懂ldap里面的几个名词 cn、ou、dc、dn(自行百度) dn包含前三个,下面就是一个dn (uid=mcc)cn=student,ou=chuanda,dc=chengdu,dc=sichuan,dc=china 作用等于 china/sichuan/chengdu/chuanda/mcc 就用ldap登录后的返回好了,看官一看便知! [ { DN: "uid=chenchen.ming,ou=Users,dc=test,dc=cn", FirstName: "ming", LastName: "ming", Username: "[email protected]", Email: "[email protected]", MemberOf: { "cn=confluence-users,ou=Groups,dc=test,dc=cn", "cn=jira-software-users,ou=Groups,dc=test,dc=cn" } } ] 1.SERVER.HOST、PORT修改为自己的LDAP的地址 host = "ldap.mcc.cn" port = 389 use_ssl = true start_tls = true //这个之前false 会报错LDAP Result Code 200 "": EOF ssl_skip_verify = true #root_ca_cert = /path/to/certificate.crt //证书没设置 2.设置读取的账户(需要可读权限) 注意这个 # Search user bind dn bind_dn = "uid=chenchen.ming,ou=Users,dc=test,dc=cn" //这个找ldap负责人就可以拿到 # Search user bind password bind_password = "Mcctest" 3.设置GRAFANA登录账户 = LDAP MAIL search_filter这个非常重要,决定了grafana的账号是ldap的uid还是mail还是其他 //search_filter = "(uid=%s)" //uid登录 chenchen.ming search_filter = "(mail=%s)" //邮箱登录 [email protected] search_base_dns = ["ou=Users,dc=test,dc=cn"] 4.设置[SERVERS.ATTRIBUTES] 貌似这个没什么影响,对登录来说… [servers.attributes] name = "givenName" surname = "sn" username = "mail" //这个 member_of = "memberOf" email = "mail" //这个 5.设置LDAP的组和GRAFANA的ORG对应关系 注意ou=Groups,而登录用户的ou=Users # 第一个组 [[servers.group_mappings]] group_dn = "cn=confluence-users,ou=Groups,dc=test,dc=cn" org_role = "Editor" org_id = 3 # 第二个组 [[servers.group_mappings]] group_dn = "cn=jira-software-users,ou=Groups,dc=test,dc=cn" org_role = "Editor" org_id = 4 [[servers.group_mappings]] # 所有人都是该org的viewer group_dn = "*" org_role = "Viewer" org_id = 2 ps:用户匹配上多个组则可以拥有多个组的多个权限 3.启用LDAP认证 1.全局配置文件目录 root@b01a0d97c5af:/usr/share/grafana/conf# whereis grafana grafana: /etc/grafana /usr/share/grafana root@b01a0d97c5af:/usr/share/grafana# cd /usr/share/grafana/conf/ root@b01a0d97c5af:/usr/share/grafana/conf# vi defaults.ini 2.修改配置 [auth.ldap] enabled = true 完了之后重启grafana 4.创建GRAFANA ORG 使用admin admin登录,创建org 一定要注意orgId和上面设置的mapping的org_id对应!
参考:https://www.freesion.com/article/36441302083/
标签:dn,cn,dc,grafana,ldap,org,ou,14 From: https://www.cnblogs.com/k8s-pod/p/17853678.html