Grafana LDAP configuration %s is empty while quering LDAP server

Grafana Configuration
1

Hello everyone,

I was doing a nested LDAP group setup for Grafana but i hit a strange issue and i don’t really know if it’s related to my config file or just a bug.

The LDAP search is working correctly because even if i type my givenName, grafana still find the sAMAccountName and use it to log the users into Grafana.
But when i seup the “group_search_filter =” option with the %s to retreive this information, it’s just empty and the LDAP query retreive nothing.

There is my ldap config file :

[[servers]]
host = "172.31.18.243 172.31.18.244"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false


bind_dn = "CN=SA_grafana,OU=Logs,OU=ServicesAccount,OU=Labo,DC=labo,DC=local"

bind_password = 'bindpassword'

search_filter = "(|(sAMAccountName=%s)(cn=%s))"

search_base_dns = ["DC=labo,DC=local"]

group_search_filter = "(member:1.2.840.113556.1.4.1941:=CN=%s,OU=Groups,OU=Labo,DC=labo,DC=local)"
group_search_base_dns = ["OU=Groups,OU=Labo,DC=labo,DC=local"]
group_search_filter_user_attribute = "cn"

[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "email"


[[servers.group_mappings]]
group_dn = "CN=GS_Dashboard_Supervision_FC,OU=ACL,OU=Groups,OU=Labo,DC=labo,DC=local"
org_role = "Admin"
grafana_admin = true
org_id = 1

Here is the logs where i used my givenName to attempt a login. Here, it can found the sAMAccountName but just above in the ldap filter search, the attribute %s is empty…

image
image1514×49 4.99 KB

(the real domain has been blanked out.)

I asked the peoples who build this test LDAP server if the account i’m using got the rights to read the CN on the domain and it can?

The user i used is present on 2 different groups : an ACL group and a designation group (like Support or Workers, IT, …) and i want to use the ACL group to have more control other the rights allowed when the user logged in.

EDIT : Ok i was messing up with the settings and i noticed that modifing “group_search_filter_user_attribute =” to givenName gave me the givenName attribute but it’s badly encoded and the special caracters (like accent in my case) does not work here :

image
image1103×14 2.4 KB

2

If i set the “name” server attribute to “displayName” unstead of “givenName” it does the query with the correct value :

image
image1150×17 2.53 KB

If i understand correctly, the query does use a group_search_filter_user_attribute. But how to tell the query to use an attribute it didn’t retreive for grafana ? Because the name, surname, username, member_of and email are retreived by grafana but not the others LDAP attributes

The work around is to use the “displayName” for the “name” servers.attribute and comment the “surname” attribute to avoir getting the surname in double if the surname is inside the displayName.

But the fact that, grafana does not retreive attributes that has not been specified in the [servers.attributes] can be understand, but it forced to have a work around unstead of specifying grafana to retreive custom attributes for exemple if some peoples want to make a complex “group_search_filter”