Automation - create a user that is in LDAP

  • What Grafana version and what operating system are you using?
    7.5.5 docker image running in Openshift

  • What are you trying to achieve?
    Would like to leverage the Grafana Admin API to create a User that is from Microsoft Active Directory.

  • How are you trying to achieve it?
    right now i have written a program that updates our MySQL DB for Grafana user and user_auth table. Specifically auth_module and Auth_id were set to ldap and the ldap cn information.

auth_id example value "CN=user1,CN=Users,DC=domain_part1,DC=domain_part2,DC=domain_part3,DC=domain_part4

  • What did you expect to happen?
    trying to find an API where i don’t have to directly interact with the database.

I can login to Grafana with my domain credentials, so ldap is configured correctly. Just trying to finish my automation work.

Hi @dgresham! Not sure if you’ve come across this API endpoint: Admin HTTP API | Grafana Labs ? In principle that will let you interact with the users database. Not quite sure if it provides the level of flexibility you’re after, with respect to LDAP users.

Hi @svetb yes, i had reviewed that and it doesn’t appear to apply to my situation. Thanks for the response.

Ah yes i re-read your question and I think I see the hold-up: you’d like to edit some of the additional auth details that aren’t currently exposed by the API. I’m not sure that there’s another endpoint that does expose these. Though could be a good feature request for the Grafana GitHub repo.

It’s been a while since I’ve used LDAP with Grafana, but out of curiosity, what is the reason for needing to edit these details manually? If memory serves me right, Grafana has a mechanism that automatically (periodically) syncs the internal user store with LDAP. I guess that syncing isn’t quite enough for your use case?

Hi @svetb from what i have been able to determine so far, is that a user needs to log-in to grafana before their userid is populated. We are not running the Enterprise edtion of grafana, so I’m trying to set this up so that people people do not have to login first.

my automation flow is that i have a customer identifier and from that

create a team
create a folder
add customer name permissions to the folder i created
create an alerts-notification channel

next step is to create the user (without having someone to login first)
add that userid to the team that they belong to.

i can do this manually by manipulating the mysql tables directly.

are you saying that grafana will automatically import users from the domain?
i can login to our grafana environment with my credentials. i was always told i had to do an initial login to get that setup.

Hi @dgresham apologies for the slow response. I see that you indeed have some more specific needs for user configuration, on top of simply allowing an LDAP user to log in to the appropriate org. In the standard LDAP integration a user doesn’t need to be “pre-registered” in Grafana before they can sign in (their account will be auto-created when they first sign in)…but it sounds like they wouldn’t have the exact permissions you would want.

I know that the LDAP mapping options have evolved since I last used it with Grafana, but I would assume they’re still not at the level that you would need here.

So yeah, I can’t actually think of a better way to do it than what you have currently, with direct database manipulation. An API enhancement that allows for your use case could make for an interesting GitHub feature request though!