Grafana - use ldap

gaj · August 6, 2019, 7:11am

hi,

i don’t know how to use ldap in grafana

my config file grafana.ini

[auth.ldap]
;enabled = false
;config_file = /etc/grafana/ldap.toml
;allow_sign_up = true

enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

my config file

[[servers]]

Ldap server host (specify multiple hosts space separated)

host = “XXXXX”

Default port is 389 or 636 if use_ssl = true

port = 3268
#port = 389

Set to true if ldap server supports TLS

use_ssl = false

Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)

start_tls = false

set to true if you want to skip ssl cert validation

ssl_skip_verify = false

Search user bind dn

#bind_dn = “cn=admin,dc=grafana,dc=org”
bind_dn = “XXXX”

Search user bind password

If the password contains # or ; you have to wrap it with triple quotes. Ex “”“#password;”“”

bind_password = ‘XXXX’

User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)”

search_filter = “(sAMAccountName=%s)”

An array of base dns to search through

#search_base_dns = [“dc=grafana,dc=org”]
search_base_dns = [“OU=Users,OU=XXX,OU=XXX,DC=XX,DC=XX,DC=XXXX,DC=XXX”]

log file :

t=2019-08-05T18:02:41+0200 lvl=info msg=“Initial bind failed” logger=ldap error=“LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839”

torkel · August 6, 2019, 7:57am

Did you google the error code?

gaj · August 6, 2019, 11:34am

yes but not work, i have this message

t=2019-08-06T12:01:57+0200 lvl=info msg="Initial bind failed" logger=ldap error="LDAP Result Code 49 \"Invalid Credentials\": 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839"

gaj · August 6, 2019, 11:49am

i need tocreate the same user AD in grafana ?

rsiring · August 16, 2019, 9:18am

No the LDAP method send the username&password through to your AD. Then validates and if OK it will allow you to login.

Here is my working example for our configuration. Default configuration of some roles based of AD groups.

[[servers]]
host = “domain.com”
port = 3269
use_ssl = true
start_tls = false
ssl_skip_verify = true
bind_dn = “domain\%s”
search_filter = “(sAMAccountName=%s)”
search_base_dns = [“dc=domain,dc=com”]
[servers.attributes]
name = “givenName”
surname = “sn”
username = “sAMAccountName”
member_of = “memberOf”
email = “mail”
[[servers.group_mappings]]
group_dn = “CN=SomeGroup,OU=SomeOu,DC=domain,DC=com”
org_role = “Admin”
grafana_admin = true # Available in Grafana v5.3 and above
[[servers.group_mappings]]
group_dn = “CN=SomeGroup,OU=SomeOu,DC=domain,DC=com”
org_role = “Admin”
[[servers.group_mappings]]
group_dn = “CN=SomeGroup,OU=SomeOu,DC=domain,DC=com”
org_role = “Editor”
[[servers.group_mappings]]
group_dn = “CN=SomeGroup,OU=SomeOu,DC=domain,DC=com”
org_role = “Viewer”

xbd · August 18, 2019, 9:52pm

Disclaimer: New to grafana but not new to ldap usage with other tools but only with Linux installs.

Disclaimer 2: My question applies to a Windows install of grafana

There is a ldap toml file in the conf folder on windows but the config file is /etc/grafana/ldap.toml

So how to a ‘reference/connect’ A windows grafana install to utilize ldap and employ a ldap.toml file in C:\Program Files\grafana-5.2.4\conf i.e. change the following from

grafana.ini:config_file = /etc/grafana/ldap.toml

to

grafana.ini:config_file = C:\Program Files\grafana-5.2.4\conf \ldap.toml

?

Thx