Many to Many group_dn <-> org_role mapping in LDAP config

jfreedman · April 28, 2017, 4:28pm

In our organisation a given user will belong to one or more team groups in LDAP, I want to have multiple teams with Admin/Editor/Viewer roles but I am not sure how to accomplish this - I could not find any documentation other than the example config. Is this even possible?

I would expect config like

[[servers.group_mappings]]
group_dn = "CN=team-1,OU=bar,DC=foo,DC=com"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "CN=team-2,OU=bar,DC=foo,DC=com"
org_role = "Admin"

or

[[servers.group_mappings]]
group_dn = [
    "CN=team-1,OU=bar,DC=foo,DC=com",
    "CN=team-2,OU=bar,DC=foo,DC=com"
]
org_role = "Admin"

daniellee · May 2, 2017, 2:19pm

There is an org_id field that can be set per group mapping so your config should look similar to your first example:

[[servers.group_mappings]]
group_dn = "CN=team-1,OU=bar,DC=foo,DC=com"
org_role = "Admin"
org_id = 1

[[servers.group_mappings]]
group_dn = "CN=team-2,OU=bar,DC=foo,DC=com"
org_role = "Admin"
org_id = 2

There is some duplication here but that should work.

jfreedman · May 2, 2017, 2:46pm

Thanks Daniel, that fixed the issue, it would be great to tweak the docs to make that obvious, I’ve submitted a pull request on github @ https://github.com/grafana/grafana/pull/8275.

jfreedman · May 23, 2017, 1:52pm

Is it possible that this configuration means that if a user in team-1 creates a dashboard then it’s visible to a different user in team-1 but not team-2? That’s the behavior we seem to be observing…

Cheers

Jon

daniellee · May 24, 2017, 7:14am

Yes, exactly. They are two different organizations and do not have access to each others dashboards.

jfreedman · May 24, 2017, 8:54am

Ok, is there any way I can have both?

daniellee · May 24, 2017, 11:51am

What’s the point in having two organizations if they should have access to each other’s dashboards? Is it just a way of grouping dashboards per team?

I am working on a feature we call Dashboard Folders but it will be a while (probably after the summer) before it is ready. (So that’s not much help to you right now).

You can give people access to both organizations and then they can switch between the orgs but you are asking if it is possible to see the other orgs’ dashboards without switching?

jfreedman · May 24, 2017, 2:10pm

I don’t think I do want to organisations, what I want is to avoid creating new groups in active directory just to manage logins to grafana

i.e. team-1, team-2 groups get admin roles, team-3 gets editor role, team-4 and team-5 get viewer role.

tailoredbrands · October 30, 2019, 1:35am

same request from me too

i.e. team-1, team-2 groups get admin roles, team-3 gets editor role, team-4 and team-5 get viewer role.

tailoredbrands · October 30, 2019, 2:15am

Good Solution. It works for me as well…
If we dont want to have multiple org …dont mention the org then by default it will take Ord=1 and both groups will have access with same roles

Topic		Replies	Views
LDAP DN in multiple orgs Grafana	1	2350	January 8, 2018
LDAP group mappings with multiple role requirements Grafana ldap	0	1030	December 9, 2019
Multi organization LDAP Authentication	0	1067	February 5, 2019
LDAP group mapping Authentication	2	2868	November 23, 2018
LDAP group mapping for users across multiple orgs Configuration ldap , configuration	3	896	January 13, 2021

Many to Many group_dn <-> org_role mapping in LDAP config

Related topics