#Hey guys I hope that s the right place
tidal bluff
thanks for the feedback @mystic lynx much appreciated! I think we can make improvements here
torn zealot
I'd personally vote for an integration into Okta rather than ldap.toml. SSO is the way to go if we can get it.
mystic lynx
You should be able to configure Okta using labels in the docker-compose.override.yaml according to these links: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/okta/
https://grafana.com/docs/grafana/latest/setup-grafana/configure-docker/
solar lintel
You have a very good point regarding Prometheus path, it's been under my radar for some time.
The Web UI is designed to only perform REST requests, as a true API first approach.
At the minimum, I should be able to do proper error handling if prometheus isn't working and display a placeholder instead of failing the WebUI entirely.
AD should work out of the box, you're saying it's not setting the file correctly ?
No this is excellent feedback, anything that makes NAbox better
mystic lynx
AD did work, just not really well. I'm not that deep in the AD topic but the config generated by the web interface doesn't use the memberOf attribute that's in the AD but iterates over the groups searching for the user. Furthermore the field used for username and mail were at least not compatible with our AD out of the box and hat to be changed every time after I saved the config over the web interface.
solar lintel
Interesting. I'll think about it. What fields were you using ?
mystic lynx
username = "sAMAccountName"
member_of = "memberOf"
email = "mail"
solar lintel
Seems pretty standard to me
That's the logic that's implemented currently :
# If we're dealing with Active Directory
if c['search_filter'] == r'(sAMAccountName=%s)':
c['group_search_filter']='(member:1.2.840.113556.1.4.1941:=%s)'
c['group_search_filter_user_attribute']='distinguishedName'
member_of='distinguishedName'
else:
member_of='memberOf'
Ah so that's what I forgot to mention, we used a single bind on LDAP Global Catalog using "DOMAIN\%s" so the search filter had to be sAMAccountName as far as I understood.
solar lintel
Ok, so did you use "DOMAIN\%s" in bind_dn field and no password to enable single bind ?
What I can try, in case the password is empty, that means single bind, and change member_of to be "memberOf". Not sure that wouldn't break things for existing users though.
mystic lynx
Ok, so did you use "DOMAIN\\%s" in bind_dn field and no password to enable singl...
Exactly
mystic lynx
What I can try, in case the password is empty, that means single bind, and chang...
That sounds logical and would be nice if it's a non-breaking change, otherwise it's probably better as is, because ours seems to be a very specific use case and the issue is more of an inconvenience than something problematic.
solar lintel
I’m looking at the doc and I don’t see why I set member_of that way. Every example I see sets it to « memberof ». I’ll do some test on my AD and probably change that