Skip to content

Amoolaa/grafana-teams-ldap-sync

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
.dev
.dev
 
 
.github
.github
 
 
sync
sync
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
Dockerfile
Dockerfile
 
 
FUTURE.md
FUTURE.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

grafana-teams-ldap-sync

A tool to synchronize Grafana Teams membership with LDAP/Active Directory groups based on LDAP user filters. It supports multiple organisations, team member and admin roles, and can run either as a one-time sync or as a server with an endpoint that does adhoc syncs. This aims to match what is offered in Grafana Cloud and Enterprise for LDAP team synchronisation for users of Grafana OSS.

Installation

  • Docker: images are published at docker pull ghcr.io/amoolaa/grafana-teams-ldap-sync:latest
  • Binary: download a precompiled binary from the Releases page
  • or clone and build from source

Usage

Run ./grafana-teams-ldap-sync sync for one-time sync run, or ./grafana-teams-ldap-sync server to run as a server. You can use crontab or kube CronJobs to schedule syncs.

Configuration

The tool requires two configuration files - the main config file for the syncer (--config flag), and another for the mappings from users to teams (--mapping). See config.yaml and mapping.yaml for sample configs.

GRAFANA_PASSWORD, GRAFANA_USER and LDAP_PASSWORD should be set as environment variables. The Grafana user credentials must have admin access to the organisations you are mapping against or be a Grafana server admin. The LDAP_PASSWORD is used to bind using the ldap.bind_dn variable in the main config file.

How it works

Using the sample mapping.yaml:

mapping:
  - org_id: 1
    teams:
      - name: foo
        admin_group_filter: "(cn=admins)"

the sync will:

  • Create a team with name "foo" in orgId 1 if it doesn't already exist
  • Fetch users from LDAP using admin_user_filter, member_user_filter, admin_group_filter, member_group_filter. If a user is returned in both the admin_* and member_* filters, they are made an admin of the team (i.e. admin takes preference). We use the email attribute specified in ldap.attributes.email.
  • Drop any users who are not users in Grafana (in other words, they must have logged in to Grafana at least once to be eligible for the sync).
  • Perform a bulk update to the members of the team the email attributes of users specified in ldap.attributes.email.

If you delete mapping entries it will not remove the created teams, you must manually clean them up.

About

Sync Grafana Teams from LDAP/Active Directory

Topics

ldap sync grafana active-directory teams

Resources

Readme

License

Apache-2.0 license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v0.0.4 Latest
Nov 17, 2025
+ 3 releases

Packages

 
 
 

Contributors 2

  •  
  •  

Languages