Integrate active directory with Grafana
Grafana: Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources
Active Directory: Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what.
Objective: To integrate active directory with Grafana so that AD users can access Grafana monitoring platform common credentials
Note: Here we will install Grafana on an AWS EKS cluster, how to launch an EKS cluster is out of scope of this article, to know how its done, please refer https://www.eksworkshop.com/
- Install Grafana on AWS EKS using helm chart:
*helm repo add grafana https://grafana.github.io/helm-charts
*helm repo update
*helm install my-release grafana/grafana
2. Create service account on AD which has access to AD user database, and create two user groups ADMIN_USER, and VIEWER_USER on AD, and add users to these groups based on your requirement.
3. Create a config file named grafana-config, and paste these details inside it, explanation is provided in the comments.
### To enable logging
verbose_logging = true[[servers]]
### Active directory host, port and port details ###
host = "myadhostname.com"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = true### AD service account, to read users from user DB ###
bind_dn = "grafana-svc@mygroup.com"
bind_password = 'myPassWord'### AD search filter to enable user only from these groups to be
### able to signup to grafana ###
search_filter = "(&(sAMAccountName=%s)(|(memberOf=CN=ADMIN_USERS,OU=Groups,DC=mygroup,DC=com)(memberOf=CN=VIEWER_USERS,OU=Groups, DC=mygroup,DC=com)))"
search_base_dns = ["dc=mygroup,dc=com"]### AD server attributes ###
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = "mail"### AD service groups created on AD, users who are grafana admins ### will be added to this AD group ###
[[servers.group_mappings]]
group_dn = "CN=ADMIN_USERS,OU=Groups ,DC=mygroup,DC=com"
org_role = "Admin"
org_id = 2
grafana_admin = true### AD service groups created on AD, users who are read only admins ### will be added to this AD group ###
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
4. Create kubernetes secret using the file created in #2
kubectl create secret generic grafana-ldap-toml --from-file=ldap-toml=./grafana-config
5. Inside the Grafana helm chart, there are sections to enable ldap authentication, and provide ldap-toml file which is used by Grafana to enable active directory integration.
### NOTE: Grafana will fail to start if the value for ldap.toml is ### invalid
auth.ldap:
enabled: true
allow_sign_up: true
config_file: /etc/grafana/ldap.toml## Grafana's LDAP configuration
## Templated by the template in _helpers.tpl
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
## ref:http://docs.grafana.org/installation/configuration/#auth-ldap
## ref: http://docs.grafana.org/installation/ldap/#configuration
ldap:
enabled: true
# `existingSecret` is a reference to an existing secret containing # the ldap configuration
# for Grafana in a key `ldap-toml`.
existingSecret: grafana-ldap
# `config` is the content of `ldap.toml` that will be stored in the # created secret
6. Deploy the updated helm chart
helm upgrade my-release grafana/grafana
Once the changes are deployed, the users who are part of ADMIN_USERS(grafana admin) and VIEWER_USERS(viewer) can access Grafana gui, and can use their AD credentials for login, the users who have logged in will be added in the users tab on Grafana automatically.