This issue looks very similar to LDAP auth - strange behaviour upon first login
My goal is a classic one: to have n ldap groups mapped against n different organizations. In the ldap.tmol my servers group mapping look like this:
[[servers.group_mappings]] group_dn = "CN=group1, OU=Workgroups,DC=mycompany,DC=com" org_role = "Admin" org_id = 1 [[servers.group_mappings]] group_dn = "CN=group2, OU=Workgroups,DC=mycompany,DC=com" org_role = "Admin" org_id = 2
My admin_user belongs to group1.
- I login with my admin_user. It works! In the console I can see something like: *msg=“Got Ldap User Info” logger=ldap user="(login.LdapUserInfo)…
- I create the organizations
- I logout
- In the next login with admin_user I get Failed to sync user in the web browser, and in the console: Cannot remove last organization admin
I have found a workaround that is login with one user that belongs to each of the organizations. After I have one user per organization the admin_user can login again. For my dev environment this can be OK, but for a production setup (apache httpd + shibboleth + grafana) does not seem very convenient…
Any thoughts on this?
Thanks in advance,
ps: Thanks for the Grafana Authproxy article, very useful and works like a charm!
Grafana version: Grafana v4.6.3 (commit: 7a06a47). Built from grafana/grafana docker image