How to assign Access Role's to specific LDAP groups

Naresh9999 · May 12, 2023, 10:59am

Hi All.

We would like to assign a few Access Roles to only particular LDAP groups. How can we achieve it?
Can someone please help me?

steve.hoffman · May 12, 2023, 3:15pm

Are you using LDAP auth to begin with? I’m going to assume you’ve at least got LDAP/AD authentication working and you’re only now trying to get group membership–>role mapping working.

I use AD so my settings will be different than what LDAP would be but close enough to demonstrate:

#Search parameters
group_search_filter = "(member:1.2.840.113556.1.4.1941:=CN=%s,CN=Users,DC=*domain*,DC=net)"
group_search_filter_user_attribute = "cn"
group_search_base_dns = ["ou=groups,dc=*domain*,dc=net"]

What you see above allows for nested groups. You’ll see below I have a group called “PMM_Admin” that I can add individuals to in AD but a larger org likely also has “Domain Admins” or “DBA Team” so using nested groups I can just add the Domain Admins group to PMM_Admin group and then anyone in PMM_Admin becomes and admin.

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=PMM_Admin,ou=groups,dc=*domain*,dc=net"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "cn=PMM_Editor,ou=groups,dc=*domain*,dc=net"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "cn=PMM_Viewer,ou=groups,dc=*domain*,dc=net"
# uncomment the line below if you prefer any authenticated user be given view permission
#group_dn = "*"
org_role = "Viewer"

Hope this helps!

Naresh9999 · May 12, 2023, 3:52pm

Hi @steve.hoffman

Thanks for the details, I have tried exactly with the above settings. But we want to change the custom access role like below.

[[servers.group_mappings]]

If you want to match all (or no ldap groups) then you can use wildcard

group_dn = “cn=PMM_Viewer,ou=groups,dc=domain,dc=net”

uncomment the line below if you prefer any authenticated user be given view permission

#group_dn = “*”
org_role = “QAN-DS”

If I replace Viewer role with QAN-DS role then it is not working.

steve.hoffman · May 12, 2023, 3:59pm

Ahhh, I’m not sure if that’s possible. @Roma_Novikov may know better if and where that is on the overall roadmap. What you highlighted is the first iteration of Role Based Access Controls (RBAC) so may be missing some features.

Naresh9999 · May 12, 2023, 4:08pm

Okay fine @steve.hoffman

I will raise a new request for the same.
Thanks for the details.

Topic		Replies	Views
Manage user using "active directory" PMM 2.x	1	663	December 19, 2023
Support for LDAP (Active Directory) Security Groups Percona Server for MongoDB	6	2144	May 14, 2020
Integerate PMM with LDAP/AD Database Monitoring and Management	2	1615	May 19, 2021
Adding new users PMM 1.x	4	2086	March 21, 2018
PMM LDAP not consistent PMM 2.x pmm	3	39	July 16, 2024

How to assign Access Role's to specific LDAP groups

If you want to match all (or no ldap groups) then you can use wildcard

uncomment the line below if you prefer any authenticated user be given view permission

Related topics