Grafana & LDAP authorization

Grafana Authentication
1
  • What Grafana version and what operating system are you using?

I use CentOs 7 + docker and Grafana v10.0.3 (eb8dd72637)

  • What are you trying to achieve?

I try to achieve correct LDAP work&test and roles mapping.

  • How are you trying to achieve it?

I read official Grafana manual and some how-to’s from google.

  • What happened?

I cannot understand why, but official guide not working for me.
If i use

bind_dn = "cn=domain admins,dc=grafana,dc=org"

I cannot login to grafana with my domain admin user.
In one how-to i found same construction:

bind_dn = "%s@silar.local"

And it work’s for me! But why?!

Also when i try to find any user from LDAP in Setting i every time get error “No user was found in the LDAP server(s) with that username”. It very fun, when i try to do it, when i login as LDAP user in grafana.
Also i look at logs and was very surprised. I looked logs when i logged and searched same user. I see same ldap request… and different results! How it possible? Look at logs:
log after login:

grafana                | logger=ldap t=2023-08-10T18:10:18.686539166+03:00 level=debug msg="LDAP SearchRequest" searchRequest="&{BaseDN:dc=labs,dc=local Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(|(sAMAccountName=agp)) Attributes:[cn sn email givenName memberOf] Controls:[]}\n"
grafana                | logger=ldap t=2023-08-10T18:10:18.687653578+03:00 level=debug msg="LDAP users found" users="[{OAuthToken:<nil> AuthModule:ldap AuthId:CN=Alex G. Powl,OU=labs,OU=Org,DC=labs,DC=local UserId:0 Email: Login:Alex G. Powl Name:Alex Powk Groups:[CN=graf_adm,CN=Users,DC=labs,DC=local CN=Users,DC=labs,DC=local CN=G_FS1370DN1,CN=Users,DC=labs,DC=local  CN=Administrators,CN=Builtin,DC=labs,DC=local CN=Domain Admins,CN=Users,DC=labs,DC=local] OrgRoles:map[1:Viewer] IsGrafanaAdmin:0xc0014ecfa9 IsDisabled:false SkipTeamSync:false}]"
grafana                | logger=http.server t=2023-08-10T18:10:18.701110929+03:00 level=info msg="Successful Login" User="Alex G. Powl"

log after search:

grafana                | logger=ldap t=2023-08-10T18:11:03.263788885+03:00 level=debug msg="LDAP SearchRequest" searchRequest="&{BaseDN:dc=labs,dc=local Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(|(sAMAccountName=agp)) Attributes:[cn sn email givenName memberOf] Controls:[]}\n"
grafana                | logger=context userId=1 orgId=1 uname=admin t=2023-08-10T18:11:03.265306202+03:00 level=error msg="No user was found in the LDAP server(s) with that username" error="LDAP Result Code 1 \"Operations Error\": 000004DC: LdapErr: DSID-0C0907E9, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580\u0000" remote_addr=192.168.3.39 traceID=
grafana                | logger=context userId=1 orgId=1 uname=admin t=2023-08-10T18:11:03.265364103+03:00 level=info msg="Request Completed" method=GET path=/api/admin/ldap/agp status=404 remote_addr=192.168.3.39 time_ms=19 duration=19.206715ms size=85 referer=http://192.168.3.15:3000/admin/ldap handler=/api/admin/ldap/:username

How it possible?!

About group mappin. We creat a group graf_adm. My user is in this group. But grafana does not create me as admin. Why?!

  • Can you copy/paste the configuration(s) that you are having problems with?

docker-compose.yml:

  grafana:
    image: grafana/grafana
    user: root
    depends_on:
      - prometheus
    ports:
      - 389:389
      - 3000:3000
    volumes:
      - ./grafana:/var/lib/grafana
      - ./grafana/provisioning/:/etc/grafana/provisioning/
      - ./grafana/etc/grafana.ini:/etc/grafana/grafana.ini
      - ./grafana/etc/ldap.toml:/etc/grafana/ldap.toml
    container_name: grafana
    hostname: grafana
    restart: unless-stopped
    environment:
      TZ: "Europe/Vilnus"
    networks:
      - default

grafana.ini:

[auth.ldap]
# Set to `true` to enable LDAP integration (default: `false`)
enabled = true

# Path to the LDAP specific configuration file (default: `/etc/grafana/ldap.toml`)
config_file = /etc/grafana/ldap.toml

# Allow sign-up should be `true` (default) to allow Grafana to create users on successful LDAP authentication.
# If set to `false` only already existing Grafana users will be able to login.
allow_sign_up = true
# Prevent synchronizing ldap users organization roles
skip_org_role_sync = false

ldap.toml:

verbose_logging = true
[[servers]]
host = "10.0.0.3"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false

bind_dn = "%s@lab.local"
timeout = 10
search_filter = "(sAMAccountName=%s)"

search_base_dns = ["dc=lab,dc=local"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

[[servers.group_mappings]]
group_dn = "cn=graf_adm,dc=lab,dc=local"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "cn=graf_editors,dc=lab,dc=local"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"