Grafana upgrade form 8.5 to 9.0 breaks auth.ldap

  • What Grafana version and what operating system are you using?
    Grafana 8.5 to 9.0 on Oracle Enterprise Linux 8.6
  • What are you trying to achieve?
    Upgrade from 8.5 to 9.0
  • How are you trying to achieve it?
    dnf update grafana
  • What happened?
    The upgrade completes successfully, but it breaks LDAP auth. In the Server Admin / LDAP page I get:
    Failed to obtain the LDAP configuration. Please verify the configuration and try again but in the Settings page I see:
    |sync_cron|0 0 1 * * *|

The LDAP auth works fine when I restore the backup back to 8.5.

  • What did you expect to happen?
    Upgraded version with LDAP auth working

  • Can you copy/paste the configuration(s) that you are having problems with?
    host = “
    port = 636
    use_ssl = true
    start_tls = false
    ssl_skip_verify = false
    bind_dn = “uid=ldapsystembind,cn=sysaccounts,cn=etc,dc=company,dc=com”
    bind_password = ‘!MJggsdgdfif02O!’
    search_filter = “(uid=%s)”
    search_base_dns = [“cn=users,cn=accounts,dc=company,dc=com”]

name = “givenname”
surname = “sn”
username = “uid”
member_of = “memberof”
email = “mail”

group_dn = “cn=grafana_admin,cn=groups,cn=accounts,dc=company,dc=com”
org_role = “Admin”
grafana_admin = true
org_id = 1

group_dn = “cn=grafana_editor,cn=groups,cn=accounts,dc=company,dc=com”
org_role = “Editor”
org_id = 1

group_dn = “cn=grafana_viewer,cn=groups,cn=accounts,dc=company,dc=com”
org_role = “Viewer”
org_id = 1


If you want to match all (or no ldap groups) then you can use wildcard

#group_dn = “*”
#org_role = “Viewer”
#org_id = 1

group_dn = “cn=grafana_stage_admin,cn=groups,cn=accounts,dc=company,dc=com”
org_role = “Admin”
grafana_admin = true
org_id = 2

group_dn = “cn=grafana_stage_editor,cn=groups,cn=accounts,dc=company,dc=com”
org_role = “Editor”
org_id = 2

group_dn = “cn=grafana_stage_viewer,cn=groups,cn=accounts,dc=company,dc=com”
org_role = “Viewer”
org_id = 2

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    logger=context traceID=00000000000000000000000000000000 t=2022-08-09T11:14:44.814921982Z level=error msg=“Failed to look up user based on cookie” error=“user token not found”
    logger=context traceID=00000000000000000000000000000000 userId=0 orgId=0 uname= t=2022-08-09T11:14:44.815854325Z level=info msg=“Request Completed” method=GET path=/api/live/ws status=401 remote_addr= time_ms=1 duration=1.561632ms size=27 referer= traceID=00000000000000000000000000000000

  • Did you follow any online instructions? If so, what is the URL?
    I am unable to find any docs relating to this issue online

did you try to restart the service/server after upgrade?

Thank you for the response. Yes I did.

I had to roll back to 8.5. Can anybody shed any light on this?

I now see the following in the logs:
level=error msg=“Error while trying to authenticate user” error=“Failed to get LDAP config: LDAP group mapping: organization role or grafana admin status is required” remote_addr= traceID=00000000000000000000000000000000

What in the config above is not correct as I cant see why it will break between 8.5 and 9.0

is this an on prem grafana or enterprise cloud?
if on prem, has the ip address of grafana changed from previous setting or it is static?

This is a OSS on Prem VM with a static IP address. I installed a brand new server with grafana 9.1 and the same thing is happening so, it must be something in the config. I just cant see what it is.

The problem has been resolved.

In my config for 8.x, I had this:

This is 9.x is not allowed and all it needed was this:
#group_dn = “*”
#org_role = “Viewer”
#org_id = 1

So a single # was all that was needed

1 Like