diff --git a/hieradata/roles/infra/metrics/grafana.eyaml b/hieradata/roles/infra/metrics/grafana.eyaml
index b792203..575f547 100644
--- a/hieradata/roles/infra/metrics/grafana.eyaml
+++ b/hieradata/roles/infra/metrics/grafana.eyaml
@@ -1,2 +1,3 @@
 ---
 profiles::sql::postgresdb::dbpass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAnG+tRQ71dgDjsILb0Ay81eIassCOdBSS3d9g+nAXzHfdW+WGA5MbqEJ9ooQrrwsjf2rz4fK54X5WPw+vt45e5o6STjdY8TOk7dc881+ABbAyMi4eEVhIJ39saZuIPueEu+HmqySjUl3Qwz/8y4sCav0T5LLusIz1koW9vAxX11tBp/kKwwZZH/PaIj7le3hZm3+BlAPntjrErGL8u5h8tL+bRA/I1NmPZFXZ7Nj0nfLK6hWnCJfQn28Q3MuIa9Fb65+eOQeoBzn2q6qOz1kYvopoj0XQ/Vwn/EPOAppdROBa3ryMGsEWe9tLD/RQdAejAxOepg8wnO/6YzJoFniTNzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDgkT0peDegh86u5IkQwDnNgDCHSJ+zs6lkpagS4ZOEGBxm6hPbIj0pbY20P4Dt+WeuYPqjiL7iVGQp810tVptjIbY=]
+profiles::metrics::grafana::ldap_bind_pass: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAO4xWWXGFjryWBT8o5OdB9DEWneSMgy1u2x6eYe0wiNdPmbSO/jVVZPDkXwPn2C5fPJ4YoHNoUMjNX+ykbVyWKINr+OmlaI7etOtaQzoinBoATXIyz8GoDjQDSmTFWjcfDaB0yHnhQw1ThDycO5v5tT3/IAETPO7EC/HsRriiMsSx64eu7a0aN1wtd1ztwHANv+RIozFwuWNV41JpmIRpWox/wLWVra59Merju+7F/kH95M1WIZ04ZutJw3pTvOXdzKb1LkDPzgqga7PNgSWAjMcfxoz1zifWOV3jNTS2j01PLDHO64eAFFK4LaYg2ZL+5oc8ZvoF9Bsf82P7xR6S/zBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBDgsLSjEI2ZV3+GQQRDpSwgDB1kt23gUX8+tpCXg2E3GdAW05gztE0U5rVBlRHpeOU/2Ddiyuqdg2rOFFxXqd4av4=]
diff --git a/site/profiles/manifests/metrics/grafana.pp b/site/profiles/manifests/metrics/grafana.pp
index db0dca2..c792c4c 100644
--- a/site/profiles/manifests/metrics/grafana.pp
+++ b/site/profiles/manifests/metrics/grafana.pp
@@ -1,5 +1,6 @@
 # profiles::metrics::grafana
 class profiles::metrics::grafana (
+  String    $ldap_bind_pass,
   Stdlib::Port $http_port   = 8080,
   String    $app_mode       = 'production',
   Boolean   $allow_sign_up  = false,
@@ -65,11 +66,48 @@ class profiles::metrics::grafana (
     users    => {
       allow_sign_up => $allow_sign_up,
     },
+    'auth.ldap' => {
+      enabled     => 'true',
+      config_file => '/etc/grafana/ldap.toml',
+    },
   }
 
+  # build the ldap config hash
+  $ldap_cfg = Sensitive({
+    servers => [
+      { host            => 'ldap.service.consul',
+        port            => 389,
+        use_ssl         => false,
+        search_filter   => '(uid=%s)',
+        search_base_dns => [ 'dc=main,dc=unkin,dc=net' ],
+        bind_dn         => 'cn=svc_grafana,ou=services,ou=users,dc=main,dc=unkin,dc=net',
+        bind_password   => $ldap_bind_pass,
+      },
+    ],
+    'servers.attributes' => {
+      name      => 'givenName',
+      surname   => 'sn',
+      username  => 'uid',
+      member_of => 'memberOf',
+      email     => 'mail',
+    },
+    'servers.group_mappings' => [
+      {
+        group_dn      => 'ou=grafana_admin,ou=groups,dc=main,dc=unkin,dc=net',
+        org_role      => 'Admin',
+        grafana_admin => true,
+      },
+      {
+        group_dn => 'ou=grafana_user,ou=groups,dc=main,dc=unkin,dc=net',
+        org_role => 'Viewer',
+      }
+    ],
+  })
+
   # deploy grafana
   class { 'grafana':
-    cfg => $cfg,
+    cfg      => $cfg,
+    ldap_cfg => $ldap_cfg,
   }
 
   # fix the package provided systemd service