Skip to main content

Observability with grafana and prometheus (SSO configutation with active directory)

How to Set Up Grafana Single Sign-On (SSO) with Active Directory (AD)

Grafana is a powerful tool for monitoring and visualizing data. Integrating it with Active Directory (AD) for Single Sign-On (SSO) can streamline access and enhance security. This tutorial will guide you through the process of configuring Grafana with AD for SSO.

Prerequisites

  1. Active Directory Domain: Ensure you have an AD domain set up.

    • Domain: bazboutey.local

    • AD Server IP: 192.168.170.212

    • Users:

      • grafana (for binding AD)

      • user1 (to demonstrate SSO)



      • we will end up with a pattern like this below

  2. Grafana Installed: Install Grafana on your server.

    • Grafana Server IP: 192.168.179.185

  3. Administrator Privileges: Access to modify AD settings and Grafana configurations.

Step 1: Configure AD for LDAP Integration

  1. Create a Service Account in AD:

    • Open Active Directory Users and Computers.

    • Create a user (e.g., grafana).

    • Assign this user a strong password (e.g., Grafana123$) and ensure it doesn’t expire.

  2. Gather Required AD Details:

    • AD domain name: bazboutey.local

    • Base DN for users and groups: dc=bazboutey,dc=local

    • LDAP server URL: ldap://192.168.170.212

Step 2: Test the AD Connection

Before configuring Grafana, test the connection between Grafana and the AD server.

  1. Run the following command on the server where Grafana is installed:

    ldapsearch -x -H ldap://192.168.170.212 -b "DC=bazboutey,DC=local" \
-D "CN=grafana,CN=Users,DC=bazboutey,DC=local" -w "Grafana123$" \
"(sAMAccountName=Administrator)"

  2. Explanation of the Command:

    • -H: Specifies the LDAP server URL.

    • -b: Specifies the base DN.

    • -D: The bind DN of the service account.

    • -w: The password for the service account.

    • The search filter (sAMAccountName=Administrator) checks for the user Administrator.

  3. Expected Output: If the connection is successful, you will see LDAP entries for the Administrator user. If not, verify your settings and try again.

Step 3: Update Grafana Configuration

  1. Locate the Configuration File:

    • The configuration file is usually located at /etc/grafana/grafana.ini.

  2. Enable LDAP Authentication:

    • Open the configuration file.

    • Set auth.ldap to true:

      [auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

  3. Configure the LDAP Settings:

    • Create or edit the LDAP configuration file (e.g., /etc/grafana/ldap.toml).

    • Add your AD settings:

      [[servers]]
# Active Directory server details
host = "192.168.170.212"
port = 389
use_ssl = false
start_tls = true
ssl_skip_verify = true

# Bind DN for authentication
bind_dn = "CN=grafana,CN=Users,DC=bazboutey,DC=local"
bind_password = "Grafana123$"

# User search filter and base DNs
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["DC=bazboutey,DC=local"]


[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

Step 4: Test the Configuration

  1. Restart Grafana:

    • Restart Grafana to apply the changes:

      sudo systemctl restart grafana-server

  2. Login to Grafana:

    • Access the Grafana login page.

    • Enter your AD credentials (e.g., user1).

    • Verify that the roles and access match your configuration.



To control access levels in Grafana, you can yo server.group_mapping balise

in our tutorial we will create two groups in Active Directory:

  1. grafana-admin: For administrative access in Grafana.
    • Add user2 to this group.
  2. grafana-viewer: For read-only access in Grafana.
    • Add user1 to this group.

 Update Grafana Configuration

Edit the ldap.toml file to reflect the new group-based access levels:
[[servers]]
# Active Directory server details
host = "192.168.170.212"
port = 389
use_ssl = false
start_tls = true
ssl_skip_verify = true

# Bind DN for authentication
bind_dn = "CN=grafana,CN=Users,DC=bazboutey,DC=local"
bind_password = "Grafana123$"

# User search filter and base DNs
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["DC=bazboutey,DC=local"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

[[servers.group_mappings]]
group_dn = "CN=grafana-admin,CN=Users,DC=bazboutey,DC=local"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "CN=grafana-viewer,CN=Users,DC=bazboutey,DC=local"
org_role = "Viewer"


Login into grafana

login with user1




Login with user2




As you can see, user2 have admin access to grafana but user1 is connect as a viewer

Troubleshooting Tips

  • Authentication Fails:

    • Check the grafana.log file for detailed errors.

    • Verify the LDAP settings in ldap.toml.

  • Role Mapping Issues:

    • Ensure AD group DNs are correct.

    • Test group membership for users.

  • SSL Errors:

    • Ensure the LDAP server supports SSL.

    • Use a valid SSL certificate.

By following these steps, you should have a fully functional Grafana instance integrated with AD for SSO. This configuration simplifies user management and enhances security by leveraging centralized authentication.

Comments

Post a Comment

Popular posts from this blog

FastAPI Instrumentalisation with prometheus and grafana Part1 [Counter]

welcome to this hands-on lab on API instrumentation using Prometheus and FastAPI! In the world of modern software development, real-time API monitoring is essential for understanding usage patterns, debugging issues, and ensuring optimal performance. In this lab, we’ll demonstrate how to enhance a FastAPI-based application with Prometheus metrics to monitor its behavior effectively. We’ve already set up the lab environment for you, complete with Grafana, Prometheus, and a PostgreSQL database. While FastAPI’s integration with databases is outside the scope of this lab, our focus will be entirely on instrumentation and monitoring. For those interested in exploring the database integration or testing , you can review the code in our repository: FastAPI Monitoring Repository . What You’ll Learn In this lab, we’ll walk you through: Setting up Prometheus metrics in a FastAPI application. Instrumenting API endpoints to track: Number of requests HTTP methods Request paths Using Grafana to vi...
Post a Comment
Read more

Join Ubuntu 20.04 to Active Directory with SSSD and SSH Access

Join Ubuntu 20.04 to Active Directory with SSSD and SSH Access  Overview This guide walks you through joining an Ubuntu 20.04 machine to an Active Directory domain using SSSD, configuring PAM for AD user logins over SSH, and enabling automatic creation of home directories upon first login. We’ll also cover troubleshooting steps and verification commands. Environment Used Component Value Ubuntu Client       ubuntu-client.bazboutey.local Active Directory FQDN   bazboutey.local Realm (Kerberos)   BAZBOUTEY.LOCAL AD Admin Account   Administrator Step 1: Prerequisites and Package Installation 1.1 Update system and install required packages bash sudo apt update sudo apt install realmd sssd libnss-sss libpam-sss adcli \ samba-common-bin oddjob oddjob-mkhomedir packagekit \ libpam-modules openssh-server Step 2: Test DNS and Kerberos Configuration Ensure that the client can resolve the AD domain and discover services. 2.1 Test domain name resol...
Post a Comment
Read more