Grafana, LDAP error

Hi Im trying to get the LDAP authentication to work with Grafana. I want Grafana to assign role per group membership in the AD.

I’ve made the security groups in the AD (Viewer, Read & admin) and assigned the members.

It seems like Grafana is able to succesfully do the LDAP lookup, but I cant seem to find any users.

I am wondering if the security groups has to be in the same OU as the users? Or does anyone know why it doesnt work?

**Debuglog:**

> t=2022-05-31T05:25:11+0000 lvl=info msg="LDAP enabled, reading config file" logger=ldap file=/etc/grafana/ldap.toml
>
>
>
> t=2022-05-31T05:25:11+0000 lvl=eror msg="Cannot authenticate admin user in LDAP" logger=ldap error="invalid username or password"

**Lpda.toml**

> [[servers]]
> host = "[192.168.30.25](https://192.168.30.25)"
> port = 389
> use_ssl = false
> start_tls = false

> bind_dn = "grafanaadmin"
> bind_password = 'XXX'

> search_filter = "(sAMAccountName=%s)"
> search_base_dns = ["DC=enterprise,DC=local"]

> [servers.attributes]
> name = "givenName"
> surname = "sn"
> username = "sAMAccountName"
> member_of = "memberOf"
> email = "mail"

> [[servers.group_mappings]]
> group_dn = "CN=grafana-admin,CN=groups,DC=enterprise,DC=local"
> org_role = "Admin"

> [[servers.group_mappings]]
> group_dn = "CN=grafana-Editor,CN=groups,DC=enterprise,DC=local"
> org_role = "Editor"

> org_role = "Viewer"

> [[servers.group_mappings]]
> group_dn = "*"
> org_role = "Viewer"

No, the memberOf is what will lookup the group membership.

What do your logs say?

Add the OU that your users live in, something like:

search_base_dns = [“OU=users,DC=enterprise,DC=local”]

I’ve also found it helpful to test ldap queries using ldapsearch. Something like:

ldapsearch -x -b "CN=foo_user,OU=bar_ou,DC=enterprise,DC=local" -H ldap://192.168.30.25 -D "grafanaadmin" -W