Failed to authenticate using ldap when migrating to 9.5.1

Just upgraded from grafana 9.4.3 to 9.5.1, the ldap autentication process which was working find in 9.4.3 stop working.

Don’t know if it is related, message in grafana.log indicate:

logger=context userId=0 orgId=0 uname= t=2023-05-04T12:54:58.555351914+02:00 level=error msg=“Error while trying to authenticate user” error=“cannot remove last grafana admin” remote_addr=w.x.y.z traceID=

LDAP is having a single user, which has been granted admin privilege in grafana using org_role.

Seem this was due to not having any user with “grafana admin” privileges.

1 Like

@sdalu can you clarify how it was fixed

@rickslick sorry, I don’t remember exactly.

Perhap ensure that in https://xxxx/admin/users you have a user with role set to Admin

More Context : Upgrade from 9.2.20 to 9.5.10 , where ldap which was working in previous version broke:

 debug logs  error : 
logger=ldap t=XXXXX level=debug msg="LDAP users found" users="[{OAuthToken:<nil> AuthModule:ldap AuthId:cn=admin,dc=XXX,dc=XXX UserId:0 Email: Login:admin Name: Groups:[grafana-editor grafana-admin admin] OrgRoles:map[1:Admin] IsGrafanaAdmin:0xc002fc61e8 IsDisabled:false SkipTeamSync:false}]"

logger=login.ext_user t=2023-09-28T13:35:40.764647263Z level=debug msg="Syncing organization roles" id=1 extOrgRoles=map[1:Admin]

logger=context userId=0 orgId=0 uname= t=2023-09-28T13:35:40.767267239Z level=error msg="Error while trying to authenticate user" error="cannot remove last grafana admin" remote_addr= traceID=


# An array of base dns to search through

search_base_dns = ["dc=XX,dc=XX"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings

## Please check grafana LDAP docs for examples

# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"

# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]

# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses


name = "givenName"

surname = "sn"

username = "cn"

member_of = "memberOf"

email = "email"

# Map ldap groups to grafana org roles


group_dn = "grafana-admin"

org_role = "Admin"

# To make user an instance admin (Grafana Admin) uncomment line below

# grafana_admin = true

# The Grafana organization database id, optional, if left out the default org (id 1) will be used

# org_id = 1


group_dn = "grafana-editor"

org_role = "Editor"


# If you want to match all (or no ldap groups) then you can use wildcard

group_dn = "grafana-viewer"

org_role = "Viewer"

after deleting the the user table the error of unable to remove message didnt appear any more. Looks like grafana is trying to remove the existing entry and reapply a new entry from backend db