网站的制作过程,wordpress加关键词,wordpress 白边,建设网站平台费介绍
本教程适用于9-10版本的Grafana#xff0c;域控#xff08;AD#xff09;使用Windows Server 2022搭建#xff0c;域控等级为 2016。
域控域名为 songxwn.com
最终实现AD用户统一认证#xff0c;统一改密#xff0c;Grafana用户自动添加。权限由Grafana控制 全局…介绍
本教程适用于9-10版本的Grafana域控AD使用Windows Server 2022搭建域控等级为 2016。
域控域名为 songxwn.com
最终实现AD用户统一认证统一改密Grafana用户自动添加。权限由Grafana控制 全局开启LDAP
修改/etc/grafana/grafana.ini 文件
vim /etc/grafana/grafana.ini修改并取消注释以下参数即可 [auth.ldap]
enabled true
config_file /etc/grafana/ldap.toml
allow_sign_up true
配置LDAP对接文件
修改/etc/grafana/ldap.toml文件
vim /etc/grafana/ldap.toml文件示例 host 为域控制器地址。 port 默认为 389即可不开启加密 bind_dn 为域控账号用于搜索域控账号 bind_password 为上面账号的密码 search_filter AD固定为(sAMAccountName%s) search_base_dns 为域控路径可以去ADSI查看
用户组权限映射 - [[servers.group_mappings]]
group_dn 为用户组的路径org_role 为在Grafana用户组的权限有 Admin、Editor、Viewer 管理、编辑、只读
如下面所示我将it1 映射为了Editorit2 组为Viewer
PS具体路径建议用ADSI工具查看。 [[servers]]
# Ldap server host (specify multiple hosts space separated)
host songxwn.com
# Default port is 389 or 636 if use_ssl true
port 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls false
# The value of an accepted TLS cipher. By default, this value is empty. Example value: [TLS_AES_256_GCM_SHA384])
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
tls_ciphers []
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.
min_tls_version
# set to true if you want to skip ssl cert validation
ssl_skip_verify false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert /path/to/certificate.crt
# Authentication against LDAP servers requiring client certificates
# client_cert /path/to/client.crt
# client_key /path/to/client.key# Search user bind dn
bind_dn adminsongxwn.com
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex #password;
bind_password password123
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
# bind_password $__env{LDAP_BIND_PASSWORD}# Timeout in seconds (applies to each host specified in the host entry (space separated))
timeout 15# User search filter, for example (cn%s) or (sAMAccountName%s) or (uid%s)
search_filter (sAMAccountName%s)# An array of base dns to search through
search_base_dns [dcsongxwn,dccom]## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter ((objectClassposixGroup)(memberUid%s))
# group_search_base_dns [ougroups,dcgrafana,dcorg]
# group_search_filter_user_attribute uid# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name givenName
surname sn
username sAMAccountName
member_of memberOf
email mail# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn cnadmins,ougroups,dcgrafana,dcorg
org_role Admin
# To make user an instance admin (Grafana Admin) uncomment line below
# grafana_admin true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id 1[[servers.group_mappings]]
group_dn cnit1,cnusers,dcsongxwn,dccom
org_role Editor[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn cnit2,cnusers,dcsongxwn,dccom
org_role Viewer
参考
https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/ldap/
博客
https://songxwn.com/
