Fatal编程技术网
  • ldap/
  • Grafana中的LDAP组映射

Grafana中的LDAP组映射

ldap grafana

Grafana中的LDAP组映射,ldap,grafana,openldap,Ldap,Grafana,Openldap,我需要一些帮助。我可以使用LDAP用户登录到系统,但他们都具有管理员角色,尽管我已经配置了LDAP组映射。 我认为这可能与LDAP中的实际模式有关。我远不是LDAP专家,所以我希望从您那里得到一些帮助 这是LDAP的一个常见用户帐户: #rmartinez, people, domain.com dn: uid=rmartinez,ou=people,dc=domain,dc=domain cn: Ricardo Martinez gidNumber: 100 givenName: Ricard

我需要一些帮助。我可以使用LDAP用户登录到系统,但他们都具有管理员角色,尽管我已经配置了LDAP组映射。 我认为这可能与LDAP中的实际模式有关。我远不是LDAP专家,所以我希望从您那里得到一些帮助

这是LDAP的一个常见用户帐户:

#rmartinez, people, domain.com
dn: uid=rmartinez,ou=people,dc=domain,dc=domain
cn: Ricardo Martinez
gidNumber: 100
givenName: Ricardo
homeDirectory: /home/rmartinez
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: Martinez
uid: rmartinez
uidNumber: 10009
userPassword:: e3NzaGF9dWN0RGJ1Njg4ejZPeittYUxrdlRoZWUrM2VWUFdFcFpVQT09
这是映射到Grafana的组之一:

# Directores, group, domain.com
dn: cn=Directores,ou=group,dc=domain,dc=com
cn: Directores
gidNumber: 10002
member: uid=sbenito,ou=people,dc=domain,dc=com
member: uid=jsaez,ou=people,dc=domain,dc=com
member: uid=rsanchez,ou=people,dc=domain,dc=com
objectClass: top
objectClass: posixGroup
objectClass: groupOfNames
userPassword:: e3NzaGF9cmhxUVdhWmdZNy83NHM3cGxPYVd6VFFDQVlOWlRsUk5TZz09
下面是我的ldap.toml的样子:

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
#[log]
#filters = ldap:debug
verbose_logging = true
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "dc01.domain.com"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = true
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = true
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults
 root_ca_cert = "/etc/ldap/certs/caskmf.pem"
# Authentication against LDAP servers requiring client certificates
 client_cert = "/etc/ldap/certs/dc01srvcert.pem"
 client_key = "/etc/ldap/certs/dc01key.pem"

# Search user bind dn
bind_dn = "cn=Manager,dc=domain,dc=com"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'admin'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(uid=%s)"

# An array of base dns to search through
search_base_dns = ["dc=domain,dc=com"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=posixGroup))"
group_search_base_dns = ["ou=group,dc=domain,dc=com"]
group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
#email =  "email"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=Administradores,ou=group,dc=domain,dc=com"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "cn=Operadores,ou=group,dc=domain,dc=com"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "cn=Directores,ou=group,dc=domain,dc=com"
org_role = "Viewer"
拜托,你能帮我吗?我几乎什么都试过了。我认为这是相关的,因为用户没有任何属性来引用他们所属的组。 这是日志:

Dec 18 09:25:55 persephone grafana-server[4668]: t=2019-12-18T09:25:55+0100 lvl=info msg="LDAP enabled, reading config file" logger=ldap file=/etc/grafana/ldap.toml
Dec 18 09:25:55 persephone grafana-server[4668]: t=2019-12-18T09:25:55+0100 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=posixGroup))"
Dec 18 09:25:55 persephone grafana-server[4668]: t=2019-12-18T09:25:55+0100 lvl=dbug msg="LDAP users found" logger=ldap users="([]*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc0000da510)({\n  OAuthToken: (*oauth2.Token)(<nil>),\n  AuthModule: (string) (len=4) \"ldap\",\n  AuthId: (string) (len=38) \"uid=pgambarte,ou=people,dc=domain,dc=com\",\n  UserId: (int64) 0,\n  Email: (string) \"\",\n  Login: (string) (len=14) \"Pilar Gambarte\",\n  Name: (string) (len=14) \"Pilar Gambarte\",\n  Groups: ([]string) (len=3 cap=4) {\n   (string) (len=37) \"cn=Operadores,ou=group,dc=domain,dc=com\",\n   (string) (len=42) \"cn=Administradores,ou=group,dc=domain,dc=com\",\n   (string) (len=37) \"cn=Directores,ou=group,dc=domain,dc=com\"\n  },\n  OrgRoles: (map[int64]models.RoleType) (len=1) {\n   (int64) 1: (models.RoleType) (len=5) \"Admin\"\n  },\n  IsGrafanaAdmin: (*bool)(0xc00082fa20)(true),\n  IsDisabled: (bool) false\n })\n}\n"
Dec 18 09:25:55 persephone grafana-server[4668]: t=2019-12-18T09:25:55+0100 lvl=dbug msg="user auth token created" logger=auth tokenId=14 userId=2 clientIP=10.0.2.2 userAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36" authToken=f8152859f8f2421705b2b967a742bcfbfb7ec4d5e0ef0cebe9575dbb399a54c9
Dec 18 09:25:55 persephone grafana-server[4668]: t=2019-12-18T09:25:55+0100 lvl=info msg="Successful Login" logger=http.server User="Pilar Gambarte"
Dec 18 09:25:55 persephone grafana-server[4668]: t=2019-12-18T09:25:55+0100 lvl=dbug msg="seen token" logger=auth tokenId=14 userId=2 clientIP=10.0.2.2 userAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36" authToken=f8152859f8f2421705b2b967a742bcfbfb7ec4d5e0ef0cebe9575dbb399a54c9
Dec 18 09:25:55 persephone grafana-server[4668]: t=2019-12-18T09:25:55+0100 lvl=dbug msg="Updating last user_seen_at" logger=context userId=2 orgId=1 uname="Pilar Gambarte" user_id=2

Dec 18 09:25:55 persephone-grafana服务器[4668]:t=2019-12-18T09:25:55+0100 lvl=info msg=“LDAP已启用,正在读取配置文件”logger=LDAP file=/etc/grafana/LDAP.toml
Dec 18 09:25:55 persephone grafana服务器[4668]:t=2019-12-18T09:25:55+0100 lvl=info msg=“搜索用户组”logger=ldap filter=“(&(objectClass=posixGroup))”
12月18日09:25:55 persephone grafana服务器[4668]:t=2019-12-18T09:25:55+0100 lvl=dbug msg=“LDAP用户已找到”logger=LDAP用户=“([]*models.ExternalUserInfo)(len=1 cap=1){\n(*models.ExternalUserInfo)(0xc0000da510)({\n OAuthToken:(*oauth2.Token)(),\n AuthModule:(string)(len=4)\“LDAP\”,\n AuthId:(string)(len=38)\”uid=pgambarte,ou=people,dc=domain,dc=com\,\n UserId:(int64)0,\n Email:(string)\“\”,\n Login:(string)(len=14)\“Pilar Gambarte\”,\n Name:(string)(len=14)\“Pilar Gambarte\”,\n组:([]string)(len=3 cap=4){\n(string)(len=37)\“cn=operates,ou=group,dc=domain,dc=com\”,\n(string)(len=42)\”cn=administratores,ou=group,dc=domain,dc=com\,\n(string)(len=37)\“cn=Directores,ou=group,dc=domain,dc=com\”\n}、\n组织角色:(map[int64]models.RoleType)(len=1){\n(int64)1:(models.RoleType)(len=5)\'Admin\\n}、\n IsGrafanaAdmin:(*bool)(0xc0082fa20)(true),\n被禁用:(bool)false\n}”
12月18日09:25:55 persephone grafana服务器[4668]:t=2019-12-18T09:25:55+0100 lvl=dbug msg=“用户身份验证令牌已创建”logger=auth令牌ID=14 userId=2 clientIP=10.0.2.2 userAgent=“Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,如Gecko)Chrome/79.0.3945.79 Safari/537.36”authToken=F8152859F8F2421705B2B967A742BCFB7EC4D5E0EF0CEBE9575DBB399A54C9
Dec 18 09:25:55 persephone grafana服务器[4668]:t=2019-12-18T09:25:55+0100 lvl=info msg=“成功登录”logger=http.server User=“Pilar Gambarte”
12月18日09:25:55 persephone grafana服务器[4668]:t=2019-12-18T09:25:55+0100 lvl=dbug msg=“seen token”logger=auth tokenId=14 userId=2 clientIP=10.0.2.2 userAgent=“Mozilla/5.0(Windows NT 10.0;Win64;x64)AppleWebKit/537.36(KHTML,像Gecko)Chrome/79.0.3945.79 Safari/537.36”authToken=F8152859F8F2421705B2B967A742BCFB7EC4D5E0EF0CEBE9575DBB399A54C9
12月18日09:25:55珀尔塞福涅-格拉法纳服务器[4668]:t=2019-12-18T09:25:55+0100 lvl=dbug msg=“更新最后一个用户在”logger=context userId=2 orgId=1 uname=“Pilar Gambarte”user\u id=2
非常感谢你。
尊敬。

@tomgalpin这是属于Directores组而不是AdministratorStores的用户的日志:

Dec 18 14:15:48 persephone grafana-server[1730]: t=2019-12-18T14:15:48+0100 lvl=info msg="LDAP enabled, reading config file" logger=ldap file=/etc/grafana/ldap.toml
Dec 18 14:15:48 persephone grafana-server[1730]: t=2019-12-18T14:15:48+0100 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=posixGroup))"
Dec 18 14:15:48 persephone grafana-server[1730]: t=2019-12-18T14:15:48+0100 lvl=dbug msg="LDAP users found" logger=ldap users="([]*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc00047d680)({\n  OAuthToken: (*oauth2.Token)(<nil>),\n  AuthModule: (string) (len=4) \"ldap\",\n  AuthId: (string) (len=36) \"uid=sbenito,ou=people,dc=domain,dc=com\",\n  UserId: (int64) 0,\n  Email: (string) \"\",\n  Login: (string) (len=11) \"Sara Benito\",\n  Name: (string) (len=11) \"Sara Benito\",\n  Groups: ([]string) (len=3 cap=4) {\n   (string) (len=37) \"cn=Operadores,ou=group,dc=domain,dc=com\",\n   (string) (len=42) \"cn=Administradores,ou=group,dc=domain,dc=com\",\n   (string) (len=37) \"cn=Directores,ou=group,dc=domain,dc=com\"\n  },\n  OrgRoles: (map[int64]models.RoleType) (len=1) {\n   (int64) 1: (models.RoleType) (len=5) \"Admin\"\n  },\n  IsGrafanaAdmin: (*bool)(0xc0005c5fc0)(true),\n  IsDisabled: (bool) false\n })\n}\n"
Dec 18 14:15:48 persephone grafana-server[1730]: t=2019-12-18T14:15:48+0100 lvl=info msg="Successful Login" logger=http.server User="Sara Benito"
感谢您的帮助。

您能确认pgambarte不在administrators(administrators)组中吗?另外,您能否提供不在administrators组中的用户登录时发生的情况的日志。谢谢 
# Administradores, group, domain.com
dn: cn=Administradores,ou=group,dc=domain,dc=com
cn: Administradores
gidNumber: 10001
member: uid=pgambarte,ou=people,dc=domain,dc=com
member: uid=rmartin,ou=people,dc=domain,dc=com
member: uid=rmartinez,ou=people,dc=domain,dc=com
member: uid=pgomez,ou=people,dc=domain,dc=com
member: uid=jramirez,ou=people,dc=domain,dc=com
objectClass: posixGroup
objectClass: groupOfNames
objectClass: top