graylog-groups/graylog-groups.yml.example
Emmanuel BENOîT 5c014aa951 Read username from referenced LDAP record
* The `username_attribute` configuration value was added to the `ldap`
  section. When this value is set, the program will not try to extract the
  username from DNs; instead, it will look them up and extract the
  username from the referenced record, using the specified attribute.

* The program will no longer exit in error when a group listed in the
  mapping doesn't exist.
2021-02-09 23:15:24 +01:00

98 lines
3.2 KiB
Text

# graylog-groups configuration example / documentation
# =====================================================
# LDAP server configuration
# --------------------------
ldap:
# The LDAP server's host name or IP address. REQUIRED.
host: ldap.example.org
# Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to
# 389.
port: 636
# TLS mode. This must be either "yes" for the non-standard, pure TLS mode,
# "starttls" for TLS over a clear connection, or "no" to use a clear
# connection. Defaults to "no".
tls: yes
# Skip server certificate check. Defaults to false.
tls_skip_verify: false
# CA certificate chain. Can be omitted if the systems' trusted CAs must be
# used, or if no TLS is being used.
cachain: /path/to/ca/chain.pem
# LDAP user (as a DN) and password to bind with. Both fields may be omitted
# if anonymous binding is to be used.
bind_user: cn=graylog,ou=automation,dc=example,dc=org
bind_password: drowssap
# LDAP attributes which may contain either the UIDs or the DNs of the groups'
# members. If the fields contain the DN, the first element will be extracted
# and used as the username. REQUIRED.
member_fields:
- member
- uniqueMember
- memberUid
# Username attribute. This is used when group member fields contain the '='
# ',' character, in which case the value will be considered a DN and looked up
# in the LDAP. The field specified by this configuration value will be read
# and used as the login name. If this configuration value is not set, the
# first element in the DN will be extracted and used as the username.
username_attribute: uid
# Graylog server info
# --------------------
graylog:
# API base URL. REQUIRED.
api_base: https://graylog.example.org/api
# Username and password to use to authenticate to the API. REQUIRED
username: admin
password: drowssap
# Should accounts be deleted when they no longer have any privileges? Warning,
# this option is rather dangerous. Can be omitted, defaults to false.
delete_accounts: false
# Group -> privileges mappings
# -----------------------------
mapping:
# Each entry in this table must use a LDAP group name as its key.
cn=g1,ou=groups,dc=example,dc=org:
# List of Graylog roles that users in this group should have. The names
# must match the ones in the Graylog administration section.
roles:
- Reader
# Privileges on various Graylog objects. This is a list of records.
privileges:
# Each privilege record includes a type of object (either "dashboard" or
# "stream"), an identifier (which is generated by Graylog, and must be
# extracted from the pages' URLs or from the API) and a level, which may
# be either "read" or "write", the latter implying the former. Should an
# user be a member of groups that grant both privilege levels, the highest
# level will be kept.
- type: dashboard
id: 12345
level: read
- type: stream
id: 12345
level: read
cn=g2,ou=groups,dc=example,dc=org:
roles:
- Event Definition Creator
- Event Notification Creator
privileges:
- type: dashboard
id: 12345
level: write