Failed to authenticate using ldap when migrating to 9.5.1

sdalu · May 4, 2023, 11:07am

Just upgraded from grafana 9.4.3 to 9.5.1, the ldap autentication process which was working find in 9.4.3 stop working.

Don’t know if it is related, message in grafana.log indicate:

logger=context userId=0 orgId=0 uname= t=2023-05-04T12:54:58.555351914+02:00 level=error msg=“Error while trying to authenticate user” error=“cannot remove last grafana admin” remote_addr=w.x.y.z traceID=

LDAP is having a single user, which has been granted admin privilege in grafana using org_role.

sdalu · May 4, 2023, 11:21am

Seem this was due to not having any user with “grafana admin” privileges.

rickslick · September 28, 2023, 9:40am

@sdalu can you clarify how it was fixed

stephanedalu · September 28, 2023, 10:50am

@rickslick sorry, I don’t remember exactly.

Perhap ensure that in https://xxxx/admin/users you have a user with role set to Admin

rickslick · September 28, 2023, 1:53pm

More Context : Upgrade from 9.2.20 to 9.5.10 , where ldap which was working in previous version broke:


 debug logs  error : 
logger=ldap t=XXXXX level=debug msg="LDAP users found" users="[{OAuthToken:<nil> AuthModule:ldap AuthId:cn=admin,dc=XXX,dc=XXX UserId:0 Email: Login:admin Name: Groups:[grafana-editor grafana-admin admin] OrgRoles:map[1:Admin] IsGrafanaAdmin:0xc002fc61e8 IsDisabled:false SkipTeamSync:false}]"

logger=login.ext_user t=2023-09-28T13:35:40.764647263Z level=debug msg="Syncing organization roles" id=1 extOrgRoles=map[1:Admin]

logger=context userId=0 orgId=0 uname= t=2023-09-28T13:35:40.767267239Z level=error msg="Error while trying to authenticate user" error="cannot remove last grafana admin" remote_addr=127.0.0.1 traceID=

-------------------------

# An array of base dns to search through

search_base_dns = ["dc=XX,dc=XX"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings

## Please check grafana LDAP docs for examples

# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"

# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]

# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses

[servers.attributes]

name = "givenName"

surname = "sn"

username = "cn"

member_of = "memberOf"

email = "email"

# Map ldap groups to grafana org roles

[[servers.group_mappings]]

group_dn = "grafana-admin"

org_role = "Admin"

# To make user an instance admin (Grafana Admin) uncomment line below

# grafana_admin = true

# The Grafana organization database id, optional, if left out the default org (id 1) will be used

# org_id = 1

[[servers.group_mappings]]

group_dn = "grafana-editor"

org_role = "Editor"

[[servers.group_mappings]]

# If you want to match all (or no ldap groups) then you can use wildcard

group_dn = "grafana-viewer"

org_role = "Viewer"

rickslick · September 29, 2023, 3:29am

after deleting the the user table the error of unable to remove message didnt appear any more. Looks like grafana is trying to remove the existing entry and reapply a new entry from backend db