Disable group parameters if authorization is disabled
Parameters "Group search base DN" and "Group search filter" are not needed if authorization is disabled. Change-Id: I7399987c695305bae7f6029de110d591ab053963
This commit is contained in:
parent
a8006c09fe
commit
e1d7c35078
@ -41,8 +41,8 @@ if $ldap_enabled {
|
|||||||
user_search_base_dns => hiera('lma::grafana::ldap::user_search_base_dns'),
|
user_search_base_dns => hiera('lma::grafana::ldap::user_search_base_dns'),
|
||||||
user_search_filter => hiera('lma::grafana::ldap::user_search_filter'),
|
user_search_filter => hiera('lma::grafana::ldap::user_search_filter'),
|
||||||
authorization_enabled => hiera('lma::grafana::ldap::authorization_enabled'),
|
authorization_enabled => hiera('lma::grafana::ldap::authorization_enabled'),
|
||||||
group_search_base_dns => hiera('lma::grafana::ldap::group_search_base_dns'),
|
group_search_base_dns => hiera('lma::grafana::ldap::group_search_base_dns', ''),
|
||||||
group_search_filter => hiera('lma::grafana::ldap::group_search_filter'),
|
group_search_filter => hiera('lma::grafana::ldap::group_search_filter', ''),
|
||||||
admin_group_dn => hiera('lma::grafana::ldap::admin_group_dn', ''),
|
admin_group_dn => hiera('lma::grafana::ldap::admin_group_dn', ''),
|
||||||
viewer_group_dn => hiera('lma::grafana::ldap::viewer_group_dn', ''),
|
viewer_group_dn => hiera('lma::grafana::ldap::viewer_group_dn', ''),
|
||||||
}
|
}
|
||||||
|
@ -14,11 +14,12 @@ bind_password = "<%= @ldap_bind_password %>"
|
|||||||
search_base_dns = [<%= @ldap_user_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>]
|
search_base_dns = [<%= @ldap_user_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>]
|
||||||
search_filter = "<%= @ldap_user_search_filter %>"
|
search_filter = "<%= @ldap_user_search_filter %>"
|
||||||
|
|
||||||
|
<% if @ldap_authorization_enabled -%>
|
||||||
# In POSIX LDAP schemas, without memberOf attribute a secondary query must be
|
# In POSIX LDAP schemas, without memberOf attribute a secondary query must be
|
||||||
# made for groups. This is done by enabling group_search_filter below. We must
|
# made for groups. This is done by enabling group_search_filter below.
|
||||||
# also set member_of="cn".
|
|
||||||
group_search_base_dns = [<%= @ldap_group_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>]
|
group_search_base_dns = [<%= @ldap_group_search_base_dns.split(' ').collect{|x| "\"#{x}\"" }.join(',') %>]
|
||||||
group_search_filter = "<%= @ldap_group_search_filter %>"
|
group_search_filter = "<%= @ldap_group_search_filter %>"
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
[servers.attributes]
|
[servers.attributes]
|
||||||
name = "givenName"
|
name = "givenName"
|
||||||
|
@ -238,35 +238,39 @@ attributes:
|
|||||||
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
||||||
action: hide
|
action: hide
|
||||||
|
|
||||||
ldap_group_search_base_dns:
|
ldap_authorization_enabled:
|
||||||
value: ''
|
value: false
|
||||||
label: 'Group search base DN'
|
label: 'Enable group-based authorization'
|
||||||
description: 'The base DN to search for groups.'
|
description: 'It allows to associate the users with the admin or viewer role. Otherwise all users are assigned to admin role.'
|
||||||
weight: 250
|
weight: 250
|
||||||
type: "text"
|
type: "checkbox"
|
||||||
restrictions:
|
restrictions:
|
||||||
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
||||||
action: hide
|
action: hide
|
||||||
|
|
||||||
ldap_group_search_filter:
|
ldap_group_search_base_dns:
|
||||||
value: '(&(objectClass=posixGroup)(memberUid=%s))'
|
value: ''
|
||||||
label: 'Group search filter'
|
label: 'Group search base DN'
|
||||||
description: 'A valid LDAP search filter.'
|
description: 'The base DN to search for groups.'
|
||||||
weight: 260
|
weight: 260
|
||||||
type: "text"
|
type: "text"
|
||||||
restrictions:
|
restrictions:
|
||||||
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
||||||
action: hide
|
action: hide
|
||||||
|
- condition: "settings:influxdb_grafana.ldap_authorization_enabled.value == false"
|
||||||
|
action: disable
|
||||||
|
|
||||||
ldap_authorization_enabled:
|
ldap_group_search_filter:
|
||||||
value: false
|
value: '(&(objectClass=posixGroup)(memberUid=%s))'
|
||||||
label: 'Enable group-based authorization'
|
label: 'Group search filter'
|
||||||
description: 'It allows to associate the users with the admin or read-only role. Otherwise all users are assigned to admin role.'
|
description: 'A valid LDAP search filter.'
|
||||||
weight: 270
|
weight: 270
|
||||||
type: "checkbox"
|
type: "text"
|
||||||
restrictions:
|
restrictions:
|
||||||
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
- condition: "settings:influxdb_grafana.ldap_enabled.value == false"
|
||||||
action: hide
|
action: hide
|
||||||
|
- condition: "settings:influxdb_grafana.ldap_authorization_enabled.value == false"
|
||||||
|
action: disable
|
||||||
|
|
||||||
ldap_admin_group_dn:
|
ldap_admin_group_dn:
|
||||||
value: ''
|
value: ''
|
||||||
|
Loading…
Reference in New Issue
Block a user