Percona Monitoring and Management (PMM) has been on the road for a while now, and it brings exciting new features and improvements. For those who are not familiar with the tool, PMM allows deep insight into the performance of applications and databases. The most crucial highlight: it is 100% open-source. Also, the source code is present on GitHub.
Back to new features and improvements. One of them, that customers were requesting, was the support for LDAP. This feature finally arrived with PMM version 2 thanks to the new version of Grafana, and I intend to demonstrate in a few steps how to configure it.
The steps below are design-oriented to work on PMM docker-based. Note, in case of a version upgrade, PMM will upgrade the files, and the LDAP settings need to be applied again.
So, let’s start with the steps.
1) Logging into pmm container
sudo docker exec -it pmm-server /bin/bash
2) Now, it is necessary to modify two files. First, the
grafana .ini configuration file. It is located in this path:
auth.ldap section and remove the semicolon to enable the parameters:
[auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml allow_sign_up = true
3) Next, change the LDAP specific configuration file (
ldap.toml). It is on this path:
In this file, it is necessary to modify the settings accordingly to the current LDAP configuration.
# In this case, SSL is not being used (attention to the port) [[servers]] # Ldap server host (specify multiple hosts space separated) host = "172.17.0.4" # Default port is 389 or 636 if use_ssl = true port = 389
On the above configuration, LDAP uses the default port for non-SSL. Below, the user that will perform the first search to verify if the user-provided on Grafana exists or not (in this example, the
# Search user bind dn bind_dn = "cn=admin,dc=percona,dc=com" # Search user bind password # If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;""" bind_password = 'sekret'
Subsequently, the base search:
# An array of base dns to search through search_base_dns = ["dc=percona,dc=com"]
To avoid any errors on PMM, I recommend to comment on the attributes that are not being used by LDAP:
# Specify names of the ldap attributes your ldap uses [servers.attributes] name = "givenName" #surname = "sn" username = "cn" member_of = "memberOf" #email = "email"
And the last part, it is possible to use the LDAP group users to define which can be an admin or only viewer on Grafana:
# Map ldap groups to grafana org roles [[servers.group_mappings]] #group_dn = "cn=admins,dc=percona,dc=org" #org_role = "Admin" # To make user an instance admin (Grafana Admin) uncomment line below # grafana_admin = true # The Grafana organization database id, optional, if left out the default org (id 1) will be used # org_id = 1 [[servers.group_mappings]] #group_dn = "cn=users,dc=grafana,dc=org" #org_role = "Editor"
In this example, groups are disabled.
4-) After the updates, Grafana needs to be restarted. Exit the container and perform a restart:
sudo docker stop pmm-server && sudo docker start pmm-server
If everything is ok, access should be ok at this point.
In case it is necessary to debug it, there is an extra step:
Optional-) Edit the
/etc/grafana/ldap.toml file and remove the # on the log section:
[log] filters = ldap:debug
And restart the pmm container again.
Workaround to Avoid Changes Being Overwritten on PMM Upgrades
It is possible to use the ability of Docker to set environment variables. Grafana allows you to set two environment variables to set LDAP authentication:
They need to be placed when docker run command is executed:
docker run -d -p 80:80 -p 443:443 --volumes-from pmm-data --name pmm-server --restart always -e GF_AUTH_LDAP_CONFIG_FILE=/ldap.conf -e GF_AUTH_LDAP_ENABLED=true percona/pmm-server:2
Note that the LDAP file will have to be copied inside the docker container, but when copied, it will resist the upgrade.
Percona is continuously improving PMM, and it is in the discussions to make LDAP authentication configurable through the user interface in the future. It is an excellent addition to one of the features that were commonly requested by customers and the community. Finally, if you have any suggestions or feature requests, please don’t hesitate to reach us!