Skip to content

Commit 37f198d

Browse files
dmihaidmihai
authored
LDAP: Add guide on how to configure LDAP with TLS (grafana#91686)
add guide on how to configure LDAP with TLS
1 parent 0e5d763 commit 37f198d

File tree

3 files changed

+45
-1
lines changed

3 files changed

+45
-1
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@ example-apiserver/
8787
/devenv/docker/blocks/tempo/tempo-data/
8888
/devenv/docker/ha-test-unified-alerting/logs/webhook/dumps/
8989
/devenv/docker/ha-test-unified-alerting/logs/webhook/webhook-listener.log
90+
/devenv/docker/blocks/auth/openldap/certs/
9091

9192
conf/custom.ini
9293

devenv/docker/blocks/auth/openldap/README.md

Lines changed: 39 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,4 +53,42 @@ The default configuration between Grafana and the OpenLDAP container is configur
5353
- admins
5454
- ldap-posix-admin
5555
- no groups
56-
- ldap-posix
56+
- ldap-posix
57+
58+
## Configure LDAP with TLS
59+
60+
After the `openldap` container has been deployed, you have to copy the CA from the docker container:
61+
```bash
62+
# get the container ID
63+
docker ps
64+
65+
docker cp CONTAINER-ID:"/container/service/:ssl-tools/assets/default-ca/default-ca.pem" devenv/docker/blocks/auth/openldap/certs
66+
```
67+
68+
To configure TLS you need the following lines in the .toml file under the `[[servers]]` section:
69+
70+
```ini
71+
tls_ciphers = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
72+
min_tls_version = "TLS1.2"
73+
ssl_skip_verify = true
74+
root_ca_cert = "devenv/docker/blocks/auth/openldap/certs/default-ca.pem"
75+
client_cert = "devenv/docker/blocks/auth/openldap/certs/ldap.crt"
76+
client_key = "devenv/docker/blocks/auth/openldap/certs/ldap.key"
77+
```
78+
79+
For simplicity, the same private key is shared between the server and the client. To generate your own private keys and certificates please follow this guide: https://enlook.wordpress.com/2015/09/30/howto-generate-certificate-for-openldap-and-using-it-for-certificate-authentication/.
80+
81+
- To connect over LDAPS include this config:
82+
83+
```ini
84+
port = 636
85+
use_ssl = true
86+
start_tls = false
87+
```
88+
- To connect with STARTTLS use this config:
89+
90+
```ini
91+
port = 389
92+
use_ssl = true
93+
start_tls = true
94+
```

devenv/docker/blocks/auth/openldap/docker-compose.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,14 @@
66
LDAP_DOMAIN: grafana.org
77
LDAP_ADMIN_PASSWORD: grafana
88
LDAP_SEED_INTERNAL_LDIF_PATH: /tmp/smt/
9+
LDAP_TLS_CRT_FILENAME: ldap.crt
10+
LDAP_TLS_KEY_FILENAME: ldap.key
11+
LDAP_TLS_CA_CRT_FILENAME: ca.crt
12+
LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
913
ports:
1014
- 389:389
1115
- 636:636
1216
restart: unless-stopped
1317
volumes:
1418
- ./docker/blocks/auth/openldap/prepopulate/:/tmp/smt/
19+
- ./docker/blocks/auth/openldap/certs/:/container/service/slapd/assets/certs/

0 commit comments

Comments
 (0)