configpolicy/roles/grafana/templates/ldap.toml.j2

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "{{ grafana_ldap_host }}"
# Default port is 389 or 636 if use_ssl = true
port = {{ grafana_ldap_port|int }}
# Set to true if ldap server supports TLS
use_ssl = {{ grafana_ldap_ssl|bool|string|lower }}
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = {{ grafana_ldap_start_tls|bool|string|lower }}
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
{% if grafana_ldap_root_ca_cert|d %}
root_ca_cert = "{{ grafana_ldap_root_ca_cert }}"
{% else %}
# root_ca_cert = "/path/to/certificate.crt"
{% endif %}
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "{{ grafana_ldap_bind_dn }}"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = '{{ grafana_ldap_bind_password }}'

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "{{ grafana_ldap_search_filter }}"

# An array of base dns to search through
search_base_dns = {{ grafana_ldap_search_base_dns|to_json }}

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "{{ grafana_ldap_attr_name }}"
surname = "{{ grafana_ldap_attr_surname }}"
username = "{{ grafana_ldap_attr_username }}"
member_of = "{{ grafana_ldap_attr_member_of }}"
email =  "{{ grafana_ldap_attr_email }}"

# Map ldap groups to grafana org roles
{% for mapping in grafana_ldap_group_mappings %}
[[servers.group_mappings]]
group_dn = "{{ mapping.group_dn }}"
org_role = "{{ mapping.org_role }}"
{% if mapping.grafana_admin|d %}
grafana_admin = true
{% endif %}
{% endfor %}