Assign LDAP user to a Grafana team

  • What Grafana version and what operating system are you using?
    7.1.5, the free download version

  • What are you trying to achieve?
    Would like to associate an onboarding LDAP user to a Grafana team before she logs in.

  • How are you trying to achieve it?

The ldap.toml is configured correctly. Authorized LDAP user group can authenticate into Grafana.
Let’s say we are expecting an onboarding senior executive. We are provided with her LDAP details before her arrival. But we are not sure how to assign her to a Grafana team before she logs in.

  • What happened?

It seems we must wait for her first logon so that her name shows up in the user list before we can assign her to a team.

  • What did you expect to happen?

I’m wondering if we can assign a searched LDAP user to the Grafana teams, even before she logs in.

  • Can you copy/paste the configuration(s) that you are having problems with?

Not necessary.

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

Not at all.

  • Did you follow any online instructions? If so, what is the URL?


Thank you team.

We’re looking to implement something similar. Were you able to find a solution to this?

Yes, we have. It is actually pretty straight-forward and no need to over think. The below works for us.

In the custom.ini of Grafana:

enabled = true
config_file = /your/path/to/ldap.toml
allow_sign_up = true

In the /your/path/to/ldap.toml

bind_dn = “yourdomain\%s”
search_filter = “(sAMAccountName=%s)”
search_base_dns = [“dc=your,dc=example,dc=com”]

name = “givenName”
surname = “sn”
username = “cn”
email = “mail”

Let’s say the LDAP username is JohnDoe, case sensitive. John is not required to login before the below steps.

Simply Add new user in Grafana | Server Admin | Users | New user
Name: John Doe
E-mail: leave blank
Username: JohnDoe case sensitive!
Password: Give a random, long password that you do not intend to remember.
Then Create user.

Go ahead and assign JohnDoe to a team.

When John actually logs in with his correct LDAP credentials, Grafana will look up his attributes from LDAP and fill the Name and Email in the Grafana local database.

John does not need to type the exact ‘JohnDoe’ in order to login. ‘johndoe’ will also work.

Wow. That is really straightforward. That will be perfect for our scenario! Thanks!!

Thanks for the example. Do you know if there is a way to configure ldap authentication without a password, as our ldap does not store the password. Thanks in advance for your help. Or, as an alternative; use the grafana password and authenticate, but check that the user is in ldap and show, and then do ldap search on group…like I see when I use the admin LDAP menu

I do not know. It’s more on the LDAP topic. You might want to talk to the LDAP administrator.

This no longer appears to work, at least in version 10.2. Upon first authentication of an LDAP user, if an account is created as recommended here, the user receives an error - Login failed, User sync failed.

The only way to fix is to delete the manually created user, then have them login via LDAP again. After first login, you can then add the user to a team.

Not sure if this is a bug? Is there a new method to assign an LDAP authenticated user to a team? Or was this removed to push people over to Enterprise?