Grafana Auth with Microsoft Active Directory


Is there any way for Grafana LDAP authentication to work WITHOUT an LDAP user being a member of any LDAP groups?

I’m using MSAD and the structure looks like this

The output of Grafana ldap logging shows the following

t=2019-04-16T17:11:11+0000 lvl=info msg=“Searching for user’s groups” logger=ldap filter="(&(cn=user001)(objectcategory=person))" t=2019-04-16T17:11:11+0000 lvl=dbug msg=“Ldap User found” logger=ldap info="(*login.LdapUserInfo)(0xc4203730a0)({\n DN: (string) (len=67) “CN=Juan Velazquez,OU=Tenant1,OU=Clientes,DC=vmware,DC=chechu,DC=com”,\n FirstName: (string) (len=4) “Juan”,\n LastName: (string) (len=9) “Velazquez”,\n Username: (string) (len=7) “user001”,\n Email: (string) (len=25) "",\n MemberOf: ([]string) \n})\n"
t=2019-04-16T17:11:11+0000 lvl=info msg=“Ldap Auth: user does not belong in any of the specified ldap groups” logger=ldap username=user001 groups=[]

So clearly it didn’t match any groups, because the user is not a member of any LDAP groups, but is there still a way to log users in to Grafana without this?

Thanks in advance

Hello luca, by default users without “MemberOf” are assigned the role of “Viewer” in “/etc/grafana/ldap.toml”.
I can’t really understand your problem, but if you explain it to me I think I can help you.

Hola luca, por defecto los usuarios sin “MemberOf” se les asigna el rol de “Viewer” en “/etc/grafana/ldap.toml”.
No logro entender tu problema realmente, pero si me lo explicas creo que te puedo ayudar.

Hi mrobles, thanks for your response.

The problem is that this AD configuration does not have any ‘groups’ object that users are a member of. I would have liked to have retained the functionality that the [servers.group_mappings] block provides, where I can assign a specific Organisation to a group of users, but this does not cover users in an Organizational Unit, since the Grafana back end will only look for valid LDAP group objects.

Does that make more sense?