[Feature request] ldap.toml environment interpolation

[carlpett]

It would be useful to be able to do the some kind of environment variable expansion in the ldap.toml file, much like what can be done in grafana.ini, especially to inject the bind password.

There is an additional complexity with this file as compared to grafana.ini in that there can be multiple server sections, so possible using the same kind of GF_<SECTION>_<KEY> syntax might be difficult. For me, just being able to do bind_password = {BIND_PASSWORD1} and bind_password = {BIND_PASSWORD2} would be sufficient, though, so maybe there is no need to tackle that problem.

[liorbachar]

+1
I'm having the same problem.

[lukibahr]

Facing the same issue.

[fpietsch]

+1

[pascalschoener]

+1

[rocktavious]

+1

[maxime-jeanson]

+1

[AhireSwati]

+1

[himmatb]

is there any workaround for this issue ? help will be appreciated ..

[mjad-org]

+1

[rodesousa]

+1

[shizacat]

+1

[pdanysz]

+1

[seesharpguy]

+1

[rnsc]

Do you think this could be implemented?
We want to consume the official Grafana image as is, and adding secrets to config files/deployments is kinda annoying (K8S), so we'd want to consume a K8S secret as an env var in the container itself and reference it in our configmap.

[rnsc]

@torkelo would making a PR be accepted?
https://github.com/grafana/grafana/blob/a3092dc57b7a91d9d38ece34c142a51912e33a65/pkg/services/ldap/settings.go

Basically, this is where the magic happens right, so we'd need to implement overrides for our variables based on if ENV var are set or not.

[rnsc]

A PR has been created to solve this issue: #17526
Thanks @JonasDeGendt !

[greenled]

Please @torkelo could you provide an example of how was this finally implemented? I'm trying:

- GF_AUTH_LDAP_ENABLED=true
- GF_AUTH_LDAP_ALLOW_SIGN_UP=true
- GF_AUTH_LDAP_SERVERS_0_HOST="**********"
- GF_AUTH_LDAP_SERVERS_0_PORT=389
- GF_AUTH_LDAP_SERVERS_0_USE_SSL=false
- GF_AUTH_LDAP_SERVERS_0_START_TLS=false
- GF_AUTH_LDAP_SERVERS_0_SSL_SKIP_VERIFY=true
- GF_AUTH_LDAP_SERVERS_0_BIND_DN="**********"
- GF_AUTH_LDAP_SERVERS_0_BIND_PASSWORD="**********"
- GF_AUTH_LDAP_SERVERS_0_SEARCH_FILTER="(cn=%s)"
- GF_AUTH_LDAP_SERVERS_0_SEARCH_BASE_DNS="**********"
- GF_AUTH_LDAP_SERVERS_ATTRIBUTES_NAME="givenName"
- GF_AUTH_LDAP_SERVERS_ATTRIBUTES_SURNAME="sn"
- GF_AUTH_LDAP_SERVERS_ATTRIBUTES_USERNAME="cn"
- GF_AUTH_LDAP_SERVERS_ATTRIBUTES_MEMBER_OF="memberOf"
- GF_AUTH_LDAP_SERVERS_ATTRIBUTES_EMAIL="email"

[mjiderhamn]

@greenled , you can check the testcases in the PR (#20173) and see that you can use for example bind_password = '${ENV_PASSWORD}' in your config to reference env var ENV_PASSWORD.

[greenled]

@mjiderhamn thanks. Sorry, I missed the point of this issue :) Anyway, I'm asking about setting LDAP through env vars like in the main config file. Is it doable?

[tikoflano]

I wanted to set up the LDAP configuration with environmente variables too and this is what I came up with. Maybe you can use this as a base for what you are looking for.

docker-compose.yml:

version: '3'

services:
  grafana:
    image: grafana/grafana
    container_name: grafana
    ports:
      - 3000:3000
    volumes:
      - grafana_data:/var/lib/grafana
      - ./src/grafana/entrypoint.sh:/entrypoint.sh
      - ./src/grafana/ldap.template.toml:/tmp/ldap.template.toml
      - /etc/localtime:/etc/localtime:ro
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=myadminpass
      - GF_AUTH_LDAP_ENABLED=true
      - GF_AUTH_LDAP_ALLOW_SIGN_UP=true
      - GF_AUTH_LDAP_CONFIG_FILE=/etc/grafana/ldap.toml
      - LDAP_BASE=dc=mydaomain,dc=com
      - LDAP_PASSWORD=myldappass
    user: root
    entrypoint: /entrypoint.sh
    restart: unless-stopped

volumes:
  grafana_data:

Note how I changed the user and the entrypoint. Also mounted entrypoint.sh and ldap.template.toml

./src/grafana/entrypoint.sh (rememember to chmod +x it)

#!/bin/bash
set -eu

if grep -q 'host = "127.0.0.1"' /etc/grafana/ldap.toml; then
  echo "Setting up LDAP auth"
  sed "s/\${LDAP_BASE}/$LDAP_BASE/g;s/\${LDAP_PASSWORD}/$LDAP_PASSWORD/g" /tmp/ldap.template.toml > /etc/grafana/ldap.toml
else
  echo "Skipping LDAP auth"
fi

exec su -s "/bin/bash" -c "/run.sh $@" grafana

./src/grafana/ldap.template.toml

[[servers]]
host = "ldap"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = true
bind_dn = "cn=admin,${LDAP_BASE}"
bind_password = '${LDAP_PASSWORD}'
search_filter = "(cn=%s)"
search_base_dns = ["ou=Users,${LDAP_BASE}"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

[viharm]

If I specify an environment variable that's extracting the bind password from a file (AUTH_LDAP_BINDPASSWORD_FILE), then how can I use the extracted password in the LDAP configuration?

Can I do this?

bind_password = '${AUTH_LDAP_BINDPASSWORD}'

The reason for this is that I don't want the LDAP bind password to be visible in the container's environment.

[viharm]

If I specify an environment variable that's extracting the bind password from a file (AUTH_LDAP_BINDPASSWORD_FILE), then how can I use the extracted password in the LDAP configuration?

Can I do this?

bind_password = '${AUTH_LDAP_BINDPASSWORD}'

The reason for this is that I don't want the LDAP bind password to be visible in the container's environment.

Just found this https://grafana.com/docs/grafana/v9.0/setup-grafana/configure-grafana/#file-provider. Can this be used for variable expansion?

[JaguarDev500]

Hi all!

Is it possible to override environment variables in ldap.toml when starting a container?

eg. docker run -d -p 3000:3000 -e "GF_SERVERS_HOST='my_ad_host'" grafana/grafana-enterprise

Thanks in advance for more experienced replies!