grafana/pkg/login/ldap_settings.go

package login

import (
	"fmt"
	"os"

	"github.com/BurntSushi/toml"
	"github.com/grafana/grafana/pkg/log"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
)

type LdapConfig struct {
	Servers []*LdapServerConf `toml:"servers"`
}

type LdapServerConf struct {
	Host          string           `toml:"host"`
	Port          int              `toml:"port"`
	UseSSL        bool             `toml:"use_ssl"`
	StartTLS      bool             `toml:"start_tls"`
	SkipVerifySSL bool             `toml:"ssl_skip_verify"`
	RootCACert    string           `toml:"root_ca_cert"`
	BindDN        string           `toml:"bind_dn"`
	BindPassword  string           `toml:"bind_password"`
	Attr          LdapAttributeMap `toml:"attributes"`

	SearchFilter  string   `toml:"search_filter"`
	SearchBaseDNs []string `toml:"search_base_dns"`

	GroupSearchFilter              string   `toml:"group_search_filter"`
	GroupSearchFilterUserAttribute string   `toml:"group_search_filter_user_attribute"`
	GroupSearchBaseDNs             []string `toml:"group_search_base_dns"`

	LdapGroups []*LdapGroupToOrgRole `toml:"group_mappings"`
}

type LdapAttributeMap struct {
	Username string `toml:"username"`
	Name     string `toml:"name"`
	Surname  string `toml:"surname"`
	Email    string `toml:"email"`
	MemberOf string `toml:"member_of"`
}

type LdapGroupToOrgRole struct {
	GroupDN string     `toml:"group_dn"`
	OrgId   int64      `toml:"org_id"`
	OrgRole m.RoleType `toml:"org_role"`
}

var LdapCfg LdapConfig
var ldapLogger log.Logger = log.New("ldap")

func loadLdapConfig() {
	if !setting.LdapEnabled {
		return
	}

	ldapLogger.Info("Ldap enabled, reading config file", "file", setting.LdapConfigFile)

	_, err := toml.DecodeFile(setting.LdapConfigFile, &LdapCfg)
	if err != nil {
		ldapLogger.Crit("Failed to load ldap config file", "error", err)
		os.Exit(1)
	}

	if len(LdapCfg.Servers) == 0 {
		ldapLogger.Crit("ldap enabled but no ldap servers defined in config file")
		os.Exit(1)
	}

	// set default org id
	for _, server := range LdapCfg.Servers {
		assertNotEmptyCfg(server.SearchFilter, "search_filter")
		assertNotEmptyCfg(server.SearchBaseDNs, "search_base_dns")

		for _, groupMap := range server.LdapGroups {
			if groupMap.OrgId == 0 {
				groupMap.OrgId = 1
			}
		}
	}
}

func assertNotEmptyCfg(val interface{}, propName string) {
	switch v := val.(type) {
	case string:
		if v == "" {
			ldapLogger.Crit("LDAP config file is missing option", "option", propName)
			os.Exit(1)
		}
	case []string:
		if len(v) == 0 {
			ldapLogger.Crit("LDAP config file is missing option", "option", propName)
			os.Exit(1)
		}
	default:
		fmt.Println("unknown")
	}
}
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`package login`

			`import (`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			`"fmt"`
feat(logging): progress on new logging #4590 2016-06-07 15:29:47 +08:00			`"os"`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`"github.com/BurntSushi/toml"`
			`"github.com/grafana/grafana/pkg/log"`
			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
			`)`

			`type LdapConfig struct {`
feat(ldap): better ldap logging, closes #6918 2016-12-15 05:01:02 +08:00			Servers []*LdapServerConf `toml:"servers"`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`}`

			`type LdapServerConf struct {`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			Host string `toml:"host"`
			Port int `toml:"port"`
			UseSSL bool `toml:"use_ssl"`
support connect ldap server with starttls (#5969) * support connect ldap server with starttls * add more doc for start_tls option 2016-09-10 15:40:57 +08:00			StartTLS bool `toml:"start_tls"`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			SkipVerifySSL bool `toml:"ssl_skip_verify"`
Allow user specified CA certs Signed-off-by: Alex Bligh <alex@alex.org.uk> 2015-10-12 00:38:33 +08:00			RootCACert string `toml:"root_ca_cert"`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			BindDN string `toml:"bind_dn"`
			BindPassword string `toml:"bind_password"`
			Attr LdapAttributeMap `toml:"attributes"`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00
			SearchFilter string `toml:"search_filter"`
			SearchBaseDNs []string `toml:"search_base_dns"`

new config option for source of %s in group_search_filter, useful for nested LDAP groups 2016-03-23 20:21:25 +08:00			GroupSearchFilter string `toml:"group_search_filter"`
			GroupSearchFilterUserAttribute string `toml:"group_search_filter_user_attribute"`
			GroupSearchBaseDNs []string `toml:"group_search_base_dns"`
Add support for POSIX LDAP schema In the POSIX LDAP schema, there is no 'memberOf' attribute returned in relation to which groups a person is a member of. Rather, it is necessary to query the group objects which have the people as members. This commit adds an additional filter, which if specified explicitly searches for groups, rather than relying on the 'memberOf' attribute. This enables Grafana to work with LDAP POSIX schema (e.g. OpenLDAP etc.) Signed-off-by: Alex Bligh <alex@alex.org.uk> 2015-10-14 02:36:21 +08:00
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			LdapGroups []*LdapGroupToOrgRole `toml:"group_mappings"`
			`}`

			`type LdapAttributeMap struct {`
			Username string `toml:"username"`
			Name string `toml:"name"`
			Surname string `toml:"surname"`
			Email string `toml:"email"`
			MemberOf string `toml:"member_of"`
			`}`

			`type LdapGroupToOrgRole struct {`
			GroupDN string `toml:"group_dn"`
			OrgId int64 `toml:"org_id"`
			OrgRole m.RoleType `toml:"org_role"`
			`}`

Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`var LdapCfg LdapConfig`
feat(logging): progress on new logging #4590 2016-06-07 15:29:47 +08:00			`var ldapLogger log.Logger = log.New("ldap")`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00
			`func loadLdapConfig() {`
			`if !setting.LdapEnabled {`
			`return`
			`}`

feat(logging): progress on new logging #4590 2016-06-07 15:29:47 +08:00			`ldapLogger.Info("Ldap enabled, reading config file", "file", setting.LdapConfigFile)`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`_, err := toml.DecodeFile(setting.LdapConfigFile, &LdapCfg)`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`if err != nil {`
feat(logging): progress on new logging #4590 2016-06-07 15:29:47 +08:00			`ldapLogger.Crit("Failed to load ldap config file", "error", err)`
			`os.Exit(1)`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`}`

Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`if len(LdapCfg.Servers) == 0 {`
feat(logging): progress on new logging #4590 2016-06-07 15:29:47 +08:00			`ldapLogger.Crit("ldap enabled but no ldap servers defined in config file")`
			`os.Exit(1)`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			`}`

feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`// set default org id`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`for _, server := range LdapCfg.Servers {`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			`assertNotEmptyCfg(server.SearchFilter, "search_filter")`
			`assertNotEmptyCfg(server.SearchBaseDNs, "search_base_dns")`

feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`for _, groupMap := range server.LdapGroups {`
			`if groupMap.OrgId == 0 {`
			`groupMap.OrgId = 1`
			`}`
			`}`
			`}`
			`}`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00
			`func assertNotEmptyCfg(val interface{}, propName string) {`
			`switch v := val.(type) {`
			`case string:`
			`if v == "" {`
feat(logging): progress on new logging #4590 2016-06-07 15:29:47 +08:00			`ldapLogger.Crit("LDAP config file is missing option", "option", propName)`
			`os.Exit(1)`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			`}`
			`case []string:`
			`if len(v) == 0 {`
feat(logging): progress on new logging #4590 2016-06-07 15:29:47 +08:00			`ldapLogger.Crit("LDAP config file is missing option", "option", propName)`
			`os.Exit(1)`
feat(ldap): removed ssl_server_name and added some validation to ldap config, #1450 2015-07-16 18:58:30 +08:00			`}`
			`default:`
			`fmt.Println("unknown")`
			`}`
			`}`