diff --git a/deployment_scripts/puppet/manifests/grafana.pp b/deployment_scripts/puppet/manifests/grafana.pp index a00b315e..730fcea6 100644 --- a/deployment_scripts/puppet/manifests/grafana.pp +++ b/deployment_scripts/puppet/manifests/grafana.pp @@ -41,8 +41,8 @@ if $ldap_enabled { user_search_base_dns => hiera('lma::grafana::ldap::user_search_base_dns'), user_search_filter => hiera('lma::grafana::ldap::user_search_filter'), authorization_enabled => hiera('lma::grafana::ldap::authorization_enabled'), - group_search_base_dns => hiera('lma::grafana::ldap::group_search_base_dns'), - group_search_filter => hiera('lma::grafana::ldap::group_search_filter'), + group_search_base_dns => hiera('lma::grafana::ldap::group_search_base_dns', ''), + group_search_filter => hiera('lma::grafana::ldap::group_search_filter', ''), admin_group_dn => hiera('lma::grafana::ldap::admin_group_dn', ''), viewer_group_dn => hiera('lma::grafana::ldap::viewer_group_dn', ''), } diff --git a/deployment_scripts/puppet/modules/lma_monitoring_analytics/templates/ldap.toml.erb b/deployment_scripts/puppet/modules/lma_monitoring_analytics/templates/ldap.toml.erb index df42d079..e9b8813f 100644 --- a/deployment_scripts/puppet/modules/lma_monitoring_analytics/templates/ldap.toml.erb +++ b/deployment_scripts/puppet/modules/lma_monitoring_analytics/templates/ldap.toml.erb @@ -14,11 +14,12 @@ bind_password = "<%= @ldap_bind_password %>" search_base_dns = [<%= @ldap_user_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>] search_filter = "<%= @ldap_user_search_filter %>" +<% if @ldap_authorization_enabled -%> # In POSIX LDAP schemas, without memberOf attribute a secondary query must be -# made for groups. This is done by enabling group_search_filter below. We must -# also set member_of="cn". +# made for groups. This is done by enabling group_search_filter below. group_search_base_dns = [<%= @ldap_group_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>] group_search_filter = "<%= @ldap_group_search_filter %>" +<% end -%> [servers.attributes] name = "givenName" diff --git a/environment_config.yaml b/environment_config.yaml index 5582513e..d12ad44a 100644 --- a/environment_config.yaml +++ b/environment_config.yaml @@ -238,35 +238,39 @@ attributes: - condition: "settings:influxdb_grafana.ldap_enabled.value == false" action: hide - ldap_group_search_base_dns: - value: '' - label: 'Group search base DN' - description: 'The base DN to search for groups.' + ldap_authorization_enabled: + value: false + label: 'Enable group-based authorization' + description: 'It allows to associate the users with the admin or viewer role. Otherwise all users are assigned to admin role.' weight: 250 - type: "text" + type: "checkbox" restrictions: - condition: "settings:influxdb_grafana.ldap_enabled.value == false" action: hide - ldap_group_search_filter: - value: '(&(objectClass=posixGroup)(memberUid=%s))' - label: 'Group search filter' - description: 'A valid LDAP search filter.' + ldap_group_search_base_dns: + value: '' + label: 'Group search base DN' + description: 'The base DN to search for groups.' weight: 260 type: "text" restrictions: - condition: "settings:influxdb_grafana.ldap_enabled.value == false" action: hide + - condition: "settings:influxdb_grafana.ldap_authorization_enabled.value == false" + action: disable - ldap_authorization_enabled: - value: false - label: 'Enable group-based authorization' - description: 'It allows to associate the users with the admin or read-only role. Otherwise all users are assigned to admin role.' + ldap_group_search_filter: + value: '(&(objectClass=posixGroup)(memberUid=%s))' + label: 'Group search filter' + description: 'A valid LDAP search filter.' weight: 270 - type: "checkbox" + type: "text" restrictions: - condition: "settings:influxdb_grafana.ldap_enabled.value == false" action: hide + - condition: "settings:influxdb_grafana.ldap_authorization_enabled.value == false" + action: disable ldap_admin_group_dn: value: ''