Hello there,
This issue looks very similar to LDAP auth - strange behaviour upon first login
My goal is a classic one: to have n ldap groups mapped against n different organizations. In the ldap.tmol my servers group mapping look like this:
[[servers.group_mappings]]
group_dn = "CN=group1, OU=Workgroups,DC=mycompany,DC=com"
org_role = "Admin"
org_id = 1
[[servers.group_mappings]]
group_dn = "CN=group2, OU=Workgroups,DC=mycompany,DC=com"
org_role = "Admin"
org_id = 2
My admin_user belongs to group1.
The issue:
- I login with my admin_user. It works! In the console I can see something like: *msg=“Got Ldap User Info” logger=ldap user="(login.LdapUserInfo)…
- I create the organizations
- I logout
- In the next login with admin_user I get Failed to sync user in the web browser, and in the console: Cannot remove last organization admin
I have found a workaround that is login with one user that belongs to each of the organizations. After I have one user per organization the admin_user can login again. For my dev environment this can be OK, but for a production setup (apache httpd + shibboleth + grafana) does not seem very convenient…
Any thoughts on this?
Thanks in advance,
Luis
ps: Thanks for the Grafana Authproxy article, very useful and works like a charm!
Grafana version: Grafana v4.6.3 (commit: 7a06a47). Built from grafana/grafana docker image