graylog-groups/graylog-groups.yml.example
Emmanuel BENOîT 842a4be87e TLS controls for the LDAP connection
The LDAP connection now supports using a custom CA certificate chain or
skipping all TLS certificate checks.
2021-02-08 23:23:16 +01:00

91 lines
2.8 KiB
Text

# graylog-groups configuration example / documentation
# =====================================================
# LDAP server configuration
# --------------------------
ldap:
# The LDAP server's host name or IP address. REQUIRED.
host: ldap.example.org
# Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to
# 389.
port: 636
# TLS mode. This must be either "yes" for the non-standard, pure TLS mode,
# "starttls" for TLS over a clear connection, or "no" to use a clear
# connection. Defaults to "no".
tls: yes
# Skip server certificate check. Defaults to false.
tls_skip_verify: false
# CA certificate chain. Can be omitted if the systems' trusted CAs must be
# used, or if no TLS is being used.
cachain: /path/to/ca/chain.pem
# LDAP user (as a DN) and password to bind with. Both fields may be omitted
# if anonymous binding is to be used.
bind_user: cn=graylog,ou=automation,dc=example,dc=org
bind_password: drowssap
# LDAP attributes which may contain either the UIDs or the DNs of the groups'
# members. If the fields contain the DN, the first element will be extracted
# and used as the username. REQUIRED.
member_fields:
- member
- uniqueMember
- memberUid
# Graylog server info
# --------------------
graylog:
# API base URL. REQUIRED.
api_base: https://graylog.example.org/api
# Username and password to use to authenticate to the API. REQUIRED
username: admin
password: drowssap
# Should accounts be deleted when they no longer have any privileges? Warning,
# this option is rather dangerous. Can be omitted, defaults to false.
delete_accounts: false
# Group -> privileges mappings
# -----------------------------
mapping:
# Each entry in this table must use a LDAP group name as its key.
cn=g1,ou=groups,dc=example,dc=org:
# List of Graylog roles that users in this group should have. The names
# must match the ones in the Graylog administration section.
roles:
- Reader
# Privileges on various Graylog objects. This is a list of records.
privileges:
# Each privilege record includes a type of object (either "dashboard" or
# "stream"), an identifier (which is generated by Graylog, and must be
# extracted from the pages' URLs or from the API) and a level, which may
# be either "read" or "write", the latter implying the former. Should an
# user be a member of groups that grant both privilege levels, the highest
# level will be kept.
- type: dashboard
id: 12345
level: read
- type: stream
id: 12345
level: read
cn=g2,ou=groups,dc=example,dc=org:
roles:
- Event Definition Creator
- Event Notification Creator
privileges:
- type: dashboard
id: 12345
level: write