[grafana] More power!

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2022-04-04 17:26:15 +02:00 · 2022-04-04 17:26:15 +02:00 · 830afd1531
parent da70cc483e
commit 830afd1531
2 changed files with 13 additions and 3 deletions
--- a/group_vars/grafana.yml
+++ b/group_vars/grafana.yml
@ -4,6 +4,10 @@ glob_grafana:
  ldap_base: "{{ glob_ldap.base }}"
  ldap_master_ipv4: "{{ glob_ldap.servers[0] }}"
  ldap_user_tree: "ou=passwd,{{ glob_ldap.base }}"
+  ldap_group_tree: "ou=group,{{ glob_ldap.base }}"
+  ldap_group_filter: "uid"
+  ldap_group_admin: "cn=_nounou,ou=group,{{ glob_ldap.base }}"
+  ldap_group_editor: "*"  # Everyone is editor

 logos:
  - which: crans_logo_white_small.svg
--- a/roles/grafana/templates/ldap.toml.j2
+++ b/roles/grafana/templates/ldap.toml.j2
@ -31,8 +31,8 @@ search_base_dns = ["ou=passwd,dc=crans,dc=org"]
 ## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
 ## Please check grafana LDAP docs for examples
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-group_search_base_dns = ["ou=group,{{ grafana.ldap_base }}"]
-group_search_filter_user_attribute = "cn"
+group_search_base_dns = ["{{ grafana.ldap_group_tree }}"]
+group_search_filter_user_attribute = "{{ grafana.ldap_group_filter }}"

 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]
@ -41,7 +41,13 @@ surname = "sn"
 username = "uid"
 email =  "mail"

+# Nounous can administrate
+[[servers.group_mappings]]
+group_dn = "{{ grafana.ldap_group_admin }}"
+org_role = "Admin"
+grafana_admin = true
+
 # All LDAP members can edit
 [[servers.group_mappings]]
-group_dn = "*"
+group_dn = "{{ grafana.ldap_group_editor }}"
 org_role = "Editor"