Grafana and openldap

ewok2 · March 15, 2022, 9:07pm

What Grafana version and what operating system are you using?
Grafana 8.3.3 on Ubuntu 20.04
What are you trying to achieve?
Use the ldap base to log in grafana
How are you trying to achieve it?
I have configure the grafana.ini and ldap.toml files folowing the documentation.

When I try to log my openldap log file says

BIND dn=“cn=admin,dc=my-domain,dc=net” method=128
BIND dn=“cn=admin,dc=my-domain,dc=net” mech=SIMPLE ssf=0
RESULT tag=97 err=0 text=
ACCEPT from IP=192.168.xx.yy:59734 (IP=0.0.0.0:389)
SRCH base=“dc=my-domain,dc=net” scope=2 deref=0 filter=“(|(cn=“my login name”))”
SRCH attr=cn sn email givenName memberOf
SEARCH RESULT tag=101 err=0 nentries=1 text=
BIND anonymous mech=implicit ssf=0
BIND dn=“cn=“my login name”,ou=users,dc=my-domain,dc=net” method=128
BIND dn=“cn=“my login name”,ou=users,dc=my-domain,dc=net” mech=SIMPLE ssf=0
RESULT tag=97 err=0 text=
closed (connection lost)

On grafana side (log) I get :

info msg=“LDAP enabled, reading config file” logger=ldap file=/etc/grafana/ldap.toml
eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“cannot remove last organization admin” remote_addr=192.168.zz.ff
eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=192.168.zz.ff time_ms=14 size=53 referer=https://grafana.my-domain.net/login

I am not an expert in openLdap (but my ldap works fine to authorise access to an nginx website)
I suspect the “cannot remove last organization admin” message is the cause?

Any idea ?

Thanks

ewok2 · March 15, 2022, 9:54pm

A 1rst mistke on my side for the ldap.toml corrected (some “dc=tempale” remaining)
But stil not working with another error…

eror msg=“User does not belong in any of the specified LDAP groups” logger=ldap username=“my login name” groups=
eror msg=“Invalid username or password” logger=context userId=0 orgId=0 uname= error=“invalid username or password” remote_addr=192.168.zz.ff

When I use ldapsearch on open ldap, my user belong to the grafana-editor groups
and with the ldap.toml following entry :

[[servers.group_mappings]]
group_dn = “cn=grafana-editor,ou=groups,dc=my-domain,dc=net”
org_role = “Editor”

ewok2 · March 18, 2022, 12:46pm

Some more information that may help ?

When I perform a request from the grafana server admin menu in the ldap tab
If I perform a request with “my user” the ldap reply that user exist but i get the below answer :

Permissions
Grafana admin No
Status Inactive
No teams found via LDAP

Topic		Replies	Views
LDAP configuration Configuration	1	2025	November 2, 2018
Grafana - use ldap Grafana	5	2943	August 18, 2019
How to configure ldap on grafana 6.2.5 Configuration ldap	0	1028	March 3, 2020
LDAP configuration issue : Unable to configure LDAP ldap	1	2803	February 24, 2021
Cannot get Grafana LDAP Authentication to work Configuration	9	26235	September 6, 2024

Grafana and openldap

Related topics