LDAP Integration

LDAP authentication for monitoring dashboards

Grafana LDAP Integration

By default Fury Kubernetes Distribution deploys Grafana without authentication. Follow this guide to change Grafana's default configuration and use an LDAP server as an authentication provider.

Requirements

  • An LDAP Server (OpenLDAP or Active Directory) host and port reachable from the Grafana Instance.
    • An LDAP User to search for Users and Groups. bind_dn and bind_password
    • Know the LDAP structure: Where are the users and groups and how match groups and users.

Prepare

In the directory where you are working with the distribution, create a directory named grafana-ldap with the following structure:

$ ls
Furyfile.yml            kustomization.yaml
$ mkdir -p grafana-ldap/ldap-config grafana-ldap/patches

Then add the following content in your kustomization.yaml file (paste it at the end of the file):

patches:
  - grafana-ldap/patches/grafana-ldap.yaml

generatorOptions:
  disableNameSuffixHash: true

configMapGenerator:
  - name: ldap-config
    namespace: monitoring
    files:
      - ldap.toml=grafana-ldap/ldap-config/ldap.toml

ldap.toml

You have to create a ldap.toml file in grafana-ldap/ldap-config directory. You can see all configuration parameters in the official Grafana documentation site

Take this file as an example:

# https://grafana.com/docs/grafana/latest/auth/ldap/#grafana-ldap-configuration

[[servers]]
# Ldap server host (specify multiple hosts space separated)
# host = "127.0.0.1"
host = "ldap-server.demo-ldap.svc.cluster.local"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=sighup,dc=io"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'HatFriday'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
search_filter = "(cn=%s)"

# An array of base dns to search through
search_base_dns = ["ou=people,dc=sighup,dc=io"]

group_search_filter = "(&(objectClass=groupOfNames)(member=cn=%s,ou=people,dc=sighup,dc=io))"
group_search_filter_user_attribute = "cn"
group_search_base_dns = ["ou=groups,dc=sighup,dc=io"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "cn"
surname = "sn"
username = "cn"
member_of = "dn"
email =  "email"

[[servers.group_mappings]]
group_dn = "cn=amministrazione,ou=groups,dc=sighup,dc=io"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "cn=engineering,ou=groups,dc=sighup,dc=io"
org_role = "Editor"

In this example you can see LDAP users in the amministrazione LDAP group will be granted admin rights. In the other side, LDAP users belonging the engineering LDAP group gets editor rights.

This ldap.toml file is used by kustomize to create a configmap. The resulting configmap will be mounted in the Grafana server as a file in the container filesystem.

grafana-ldap.yaml

This patch grafana-ldap.yaml should be placed inside the grafana-ldap/patches directory:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitoring
spec:
  template:
    spec:
      volumes:
        - name: ldap-config
          configMap:
            name: ldap-config
      containers:
        - name: grafana
          volumeMounts:
            - name: ldap-config
              mountPath: /etc/grafana/ldap/
          env:
            - name: GF_AUTH_LDAP_ENABLED
              value: "true"
            - name: GF_AUTH_LDAP_CONFIG_FILE
              value: /etc/grafana/ldap/ldap.toml
            - name: GF_AUTH_LDAP_ALLOW_SIGN_UP
              value: "true"
            - name: GF_AUTH_ANONYMOUS_ENABLED
              value: "false"
            - name: GF_LOG_FILTERS
              value: "ldap:debug"

This patch contains a couple of modifications:

  • Adds the required environment variables to activate the LDAP integration.
  • Adds a new VolumeMount into the Grafana container to read the ldap.toml configuration file.

You can find more information about how to configure Grafana Container in its documentation portal

Test

If you have followed these steps, you can verify everything is in place with the following command:

$ kustomize build  | grep -A 1 GF_AUTH_LDAP_CONFIG_FILE
        - name: GF_AUTH_LDAP_CONFIG_FILE
          value: /etc/grafana/ldap/ldap.toml

Kiali LDAP Integration

If you want to modify Kiali default configuration and you own a LDAP server folllow this guide to use your LDAP server as authentication provider.

Requirements

  • An LDAP Server (OpenLDAP or Active Directory) host and port reachable from the Kiali Instance.
    • Know the LDAP structure: Where are the users and groups and how match groups and users.
    • TLS must be enabled in the LDAP Server, otherwise it will not work (Kiali limitation)

Prepare

In the directory where you are working with the distribution, create a directory named kiali-ldap with the following structure:

$ ls
Furyfile.yml            kustomization.yaml
$ mkdir -p kiali-ldap/config

Then add the following content in your kustomization.yaml file (paste it at the end of the file):

bases:
  - ./vendor/katalog/service-mesh/istio/kiali

generatorOptions:
  disableNameSuffixHash: true

configMapGenerator:
  - name: kiali
    namespace: istio-system
    behavior: replace
    files:
      - config.yaml=kiali-ldap/config/config.yaml

config.yaml

You have to create a config.yaml file in kiali-ldap/config directory. You can see all configuration parameters in the official Kiali repository.

Take this file as an example:

istio_namespace: istio-system
deployment:
  accessible_namespaces: ['**']
auth:
  strategy: ldap
  ldap:
    ldap_host: "ldap-server.demo-ldap"
    ldap_port: 389
    ldap_use_ssl: false
    ldap_insecure_skip_verify: true
    ldap_base: "dc=sighup,dc=io"
    ldap_bind_dn: "cn={USERID},ou=people,dc=sighup,dc=io"
server:
  port: 20001
  web_root: /kiali
external_services:
  tracing:
    url:
  grafana:
    url:
  prometheus:
    url: http://prometheus-k8s.monitoring:9090

Test

If you have followed these steps, you can verify everything is in place with the next command:

$ kustomize build | grep ldap_host
        ldap_host: "ldap-server.demo-ldap"

Last modified 06.07.2020: Move ldap behing thanos (df36e81)