Merge pull request #18 from zanox/master

Add LDAP config section

attributes/default.rb

@@ -48,3 +48,17 @@
 
 ### LOGGING ###
 default['grafana']['log_level'] = 'Info' # Either "Trace", "Debug", "Info", "Warn", "Error", "Critical"
+
+### LDAP ###
+# If you enable LDAP, you MUST override the sample resource template
+# in your wrapper cookbook 'my-grafana2' with custom template 'my-ldap.toml.erb'
+# Insert this code after grafana2 cookbook inclusion:
+# begin
+#    r = resources(:template => "#{node['grafana']['ldap_config_file']}")
+#    r.cookbook "my-grafana2"
+#    r.source "my-ldap.toml.erb"
+#    rescue Chef::Exceptions::ResourceNotFound
+#    Chef::Log.warn "could not find template to override!"
+# end
+default['grafana']['ldap_enabled'] = 'false' # 'true' or 'false
+default['grafana']['ldap_config_file'] = '/etc/grafana/ldap.toml'

recipes/config.rb

@@ -5,3 +5,11 @@
   group node['grafana']['group']
   notifies :restart, 'service[grafana-server]', :delayed
 end
+
+template "#{node['grafana']['ldap_config_file']}" do
+  source 'ldap.toml.sample.erb'
+  owner node['grafana']['user']
+  group node['grafana']['group']
+  mode '0600'
+  notifies :restart, 'service[grafana-server]', :delayed
+end

templates/default/grafana.ini.erb

@@ -196,3 +196,8 @@ level = <%= node['grafana']['log_level'] %>
 ;enabled = false
 ;rabbitmq_url = amqp://localhost/
 ;exchange = grafana_events
+
+# ldap configuration
+[auth.ldap]
+enabled = <%= node['grafana']['ldap_enabled'] %>
+config_file = <%= node['grafana']['ldap_config_file'] %> # add the customized config file in the cookbook wrapper

templates/default/ldap.toml.sample.erb

@@ -0,0 +1,58 @@
+# Set to true to log user information returned from LDAP
+verbose_logging = false
+
+[[servers]]
+# Ldap server host (specify multiple hosts space separated)
+host = "127.0.0.1"
+# Default port is 389 or 636 if use_ssl = true
+port = 389
+# Set to true if ldap server supports TLS
+use_ssl = false
+# set to true if you want to skip ssl cert validation
+ssl_skip_verify = false
+# set to the path to your root CA certificate or leave unset to use system defaults
+# root_ca_cert = /path/to/certificate.crt
+
+# Search user bind dn
+bind_dn = "cn=admin,dc=grafana,dc=org"
+# Search user bind password
+bind_password = 'grafana'
+
+# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
+search_filter = "(cn=%s)"
+
+# An array of base dns to search through
+search_base_dns = ["dc=grafana,dc=org"]
+
+# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
+# This is done by enabling group_search_filter below. You must also set member_of= "cn"
+# in [servers.attributes] below.
+
+## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
+# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
+## An array of the base DNs to search through for groups. Typically uses ou=groups
+# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "givenName"
+surname = "sn"
+username = "cn"
+member_of = "memberOf"
+email =  "email"
+
+# Map ldap groups to grafana org roles
+[[servers.group_mappings]]
+group_dn = "cn=admins,dc=grafana,dc=org"
+org_role = "Admin"
+# The Grafana organization database id, optional, if left out the default org (id 1) will be used
+# org_id = 1
+
+[[servers.group_mappings]]
+group_dn = "cn=users,dc=grafana,dc=org"
+org_role = "Editor"
+
+[[servers.group_mappings]]
+# If you want to match all (or no ldap groups) then you can use wildcard
+group_dn = "*"
+org_role = "Viewer"