Disable group parameters if authorization is disabled

Parameters "Group search base DN" and "Group search filter" are not
needed if authorization is disabled.

Change-Id: I7399987c695305bae7f6029de110d591ab053963

deployment_scripts/puppet/manifests/grafana.pp

@@ -41,8 +41,8 @@ if $ldap_enabled {
     user_search_base_dns  => hiera('lma::grafana::ldap::user_search_base_dns'),
     user_search_filter    => hiera('lma::grafana::ldap::user_search_filter'),
     authorization_enabled => hiera('lma::grafana::ldap::authorization_enabled'),
-    group_search_base_dns => hiera('lma::grafana::ldap::group_search_base_dns'),
-    group_search_filter   => hiera('lma::grafana::ldap::group_search_filter'),
+    group_search_base_dns => hiera('lma::grafana::ldap::group_search_base_dns', ''),
+    group_search_filter   => hiera('lma::grafana::ldap::group_search_filter', ''),
     admin_group_dn        => hiera('lma::grafana::ldap::admin_group_dn', ''),
     viewer_group_dn       => hiera('lma::grafana::ldap::viewer_group_dn', ''),
   }

deployment_scripts/puppet/modules/lma_monitoring_analytics/templates/ldap.toml.erb

@@ -14,11 +14,12 @@ bind_password = "<%= @ldap_bind_password %>"
 search_base_dns = [<%= @ldap_user_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>]
 search_filter = "<%= @ldap_user_search_filter %>"
 
+<% if @ldap_authorization_enabled -%>
 # In POSIX LDAP schemas, without memberOf attribute a secondary query must be
-# made for groups. This is done by enabling group_search_filter below. We must
-# also set member_of="cn".
+# made for groups. This is done by enabling group_search_filter below.
 group_search_base_dns = [<%= @ldap_group_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>]
 group_search_filter = "<%= @ldap_group_search_filter %>"
+<% end -%>
 
 [servers.attributes]
 name = "givenName"

environment_config.yaml

@@ -238,35 +238,39 @@ attributes:
       - condition: "settings:influxdb_grafana.ldap_enabled.value == false"
         action: hide
 
-  ldap_group_search_base_dns:
-    value: ''
-    label: 'Group search base DN'
-    description: 'The base DN to search for groups.'
+  ldap_authorization_enabled:
+    value: false
+    label: 'Enable group-based authorization'
+    description: 'It allows to associate the users with the admin or viewer role. Otherwise all users are assigned to admin role.'
     weight: 250
-    type: "text"
+    type: "checkbox"
     restrictions:
       - condition: "settings:influxdb_grafana.ldap_enabled.value == false"
         action: hide
 
-  ldap_group_search_filter:
-    value: '(&(objectClass=posixGroup)(memberUid=%s))'
-    label: 'Group search filter'
-    description: 'A valid LDAP search filter.'
+  ldap_group_search_base_dns:
+    value: ''
+    label: 'Group search base DN'
+    description: 'The base DN to search for groups.'
     weight: 260
     type: "text"
     restrictions:
       - condition: "settings:influxdb_grafana.ldap_enabled.value == false"
         action: hide
+      - condition: "settings:influxdb_grafana.ldap_authorization_enabled.value == false"
+        action: disable
 
-  ldap_authorization_enabled:
-    value: false
-    label: 'Enable group-based authorization'
-    description: 'It allows to associate the users with the admin or read-only role. Otherwise all users are assigned to admin role.'
+  ldap_group_search_filter:
+    value: '(&(objectClass=posixGroup)(memberUid=%s))'
+    label: 'Group search filter'
+    description: 'A valid LDAP search filter.'
     weight: 270
-    type: "checkbox"
+    type: "text"
     restrictions:
       - condition: "settings:influxdb_grafana.ldap_enabled.value == false"
         action: hide
+      - condition: "settings:influxdb_grafana.ldap_authorization_enabled.value == false"
+        action: disable
 
   ldap_admin_group_dn:
     value: ''