Grafana and openldap

  • What Grafana version and what operating system are you using?
    Grafana 8.3.3 on Ubuntu 20.04
  • What are you trying to achieve?
    Use the ldap base to log in grafana
  • How are you trying to achieve it?
    I have configure the grafana.ini and ldap.toml files folowing the documentation.

When I try to log my openldap log file says

BIND dn=“cn=admin,dc=my-domain,dc=net” method=128
BIND dn=“cn=admin,dc=my-domain,dc=net” mech=SIMPLE ssf=0
RESULT tag=97 err=0 text=
ACCEPT from IP=192.168.xx.yy:59734 (IP=0.0.0.0:389)
SRCH base=“dc=my-domain,dc=net” scope=2 deref=0 filter=“(|(cn=“my login name”))”
SRCH attr=cn sn email givenName memberOf
SEARCH RESULT tag=101 err=0 nentries=1 text=
BIND anonymous mech=implicit ssf=0
BIND dn=“cn=“my login name”,ou=users,dc=my-domain,dc=net” method=128
BIND dn=“cn=“my login name”,ou=users,dc=my-domain,dc=net” mech=SIMPLE ssf=0
RESULT tag=97 err=0 text=
closed (connection lost)

On grafana side (log) I get :

info msg=“LDAP enabled, reading config file” logger=ldap file=/etc/grafana/ldap.toml
eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“cannot remove last organization admin” remote_addr=192.168.zz.ff
eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=192.168.zz.ff time_ms=14 size=53 referer=https://grafana.my-domain.net/login

I am not an expert in openLdap (but my ldap works fine to authorise access to an nginx website)
I suspect the “cannot remove last organization admin” message is the cause?

Any idea ?

Thanks

A 1rst mistke on my side for the ldap.toml corrected (some “dc=tempale” remaining)
But stil not working with another error…

eror msg=“User does not belong in any of the specified LDAP groups” logger=ldap username=“my login name” groups=
eror msg=“Invalid username or password” logger=context userId=0 orgId=0 uname= error=“invalid username or password” remote_addr=192.168.zz.ff

When I use ldapsearch on open ldap, my user belong to the grafana-editor groups
and with the ldap.toml following entry :

[[servers.group_mappings]]
group_dn = “cn=grafana-editor,ou=groups,dc=my-domain,dc=net”
org_role = “Editor”

Some more information that may help ?

When I perform a request from the grafana server admin menu in the ldap tab
If I perform a request with “my user” the ldap reply that user exist but i get the below answer :

Permissions
Grafana admin No
Status Inactive
No teams found via LDAP