Enable LDAP on Percona Monitoring and Management (PMM)

Percona Monitoring and Management (PMM) has been on the road for a while now, and it brings exciting new features and improvements . For those who are not familiar with the tool, PMM allows deep insight into the performance of applications and databases.  The most crucial highlight: it is 100% open-source . Also, the source code is present on GitHub .

Back to new features and improvements. One of them, that customers were requesting, was the support for LDAP . This feature finally arrived with PMM version 2 thanks to the new version of Grafana , and I intend to demonstrate in a few steps how to configure it.

The steps below are design-oriented to work onPMM docker-based. Note, in case of a version upgrade, PMM will upgrade the files, and the LDAP settings need to be applied again.

So, let’s start with the steps.

Walkthrough

1)Logging into pmm container

sudo docker exec -it pmm-server /bin/bash

2)Now, it is necessary to modify two files. First, the  grafana .ini configuration file. It is located in this path:

/etc/grafana/grafana.ini

Find the auth.ldap section and remove the semicolon to enable the parameters:

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

3)Next, change the LDAP specific configuration file ( ldap.toml ). It is on this path:

/etc/grafana/ldap.toml

In this file, it is necessary to modify the settings accordingly to the current LDAP configuration.

# In this case, SSL is not being used (attention to the port)
 
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "172.17.0.4"
# Default port is 389 or 636 if use_ssl = true
port = 389

On the above configuration, LDAP uses the default port for non-SSL. Below,  the user that will perform the first search to verify if the user-provided on Grafana exists or not (in this example, the admin user):

# Search user bind dn
bind_dn = "cn=admin,dc=percona,dc=com"
 
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'sekret'

Subsequently, the base search:

# An array of base dns to search through
search_base_dns = ["dc=percona,dc=com"]

To avoid any errors on PMM, I recommend to comment on the attributes that are not being used by LDAP:

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
#surname = "sn"
username = "cn"
member_of = "memberOf"
#email =  "email"

And the last part, it is possible to use the LDAP group users to define which can be an admin or only viewer on Grafana:

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
#group_dn = "cn=admins,dc=percona,dc=org"
#org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1
 
[[servers.group_mappings]]
#group_dn = "cn=users,dc=grafana,dc=org"
#org_role = "Editor"

In this example, groups are disabled.

4-) After the updates, Grafana needs to be restarted. Exit the container and perform a restart:

sudo docker stop pmm-server && sudo docker start pmm-server

If everything is ok, access should be ok at this point.

In case it is necessary to debug it, there is an extra step:

Optional-) Edit the  /etc/grafana/ldap.toml file and remove the # on the log section:

[log]
filters = ldap:debug

And restart the pmm container again.

Workaround to Avoid Changes Being Overwritten on PMM Upgrades

It is possible to use the ability of Docker to set environment variables. Grafana allows you to set two environment variables to set LDAP authentication:

GF_AUTH_LDAP_ENABLED=true
GF_AUTH_LDAP_CONFIG_FILE=/<path>/ldap.toml

They need to be placed when docker run command is executed:

docker run -d -p 80:80 -p 443:443 --volumes-from pmm-data --name pmm-server --restart always -e GF_AUTH_LDAP_CONFIG_FILE=/ldap.conf -e GF_AUTH_LDAP_ENABLED=true percona/pmm-server:2

Note that the LDAP file will have to be copied inside the docker container, but when copied, it will resist the upgrade.

Conclusion

Percona is continuously improving PMM, and it is in the discussions to make LDAP authentication configurable through the user interface in the future. It is an excellent addition to one of the features that were commonly requested by customers and the community. Finally, if you have any suggestions or feature requests, please don’t hesitate to reach us!

Useful Resources

Finally, you can reach us through our social networks ( Twitter , LinkedIn , Facebook ), our forum, or access our material using the links presented below: