Grafana with ldap "Cannot authentificate admin user in LDAP" error

mridul0709 · May 14, 2020, 9:28am

Could someone please help me, I am facing below error of “Cannot authentificate admin user in LDAP” while configuring ldap with grafana. I have enabled it from /etc/grafana/grafana.ini from auth.ldap section. I have also put filters = ldap:debug.

t=2020-05-14T11:14:03+0200 lvl=info msg=“LDAP enabled, reading config file” logger=ldap file=/etc/grafana/ldap.toml
t=2020-05-14T11:14:10+0200 lvl=eror msg=“Cannot authentificate admin user in LDAP” logger=ldap error=“Invalid Username or Password”
t=2020-05-14T11:14:10+0200 lvl=eror msg=“No user was found in the LDAP server(s) with that username” logger=context userId=1 orgId=1 uname=admin error=“Invalid Username or Password” remote_addr=x.x.x.x
t=2020-05-14T11:14:10+0200 lvl=info msg=“Request Completed” logger=context userId=1 orgId=1 uname=admin method=GET path=/api/admin/ldap/test status=404 remote_addr=10.71.4.196 time_ms=9 size=72 referer=https://x.x.x.x:3000/admin/ldap

++++++++++++
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
++++++++++++

My /etc/grafana/ldap.toml file looks like

++++++++++++
[[servers]]
host = “mmi-vkb001.data.mmi”
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true
root_ca_cert = “/etc/ipa/ca.crt”
bind_dn = “cn=admin,dc=data,dc=mmi”
bind_password = ‘xxxxxxxx’
#search_filter = “(cn=%s)”
search_base_dns = [“dc=data,dc=mmi”]
[servers.attributes]
name = “"
surname = "”
username = “"
member_of = "”
email = “"
[[servers.group_mappings]]
group_dn = "”
org_role = “Viewer”
++++++++++++

I am able to see the user in the same server with sssd client.

++++++++++++
[root@grafana1 ~]# getent passwd test
test::381200015:381200015:test surname:/home/test:/bin/sh
[root@grafana1 ~]# getent passwd test@data.mmi
test::381200015:381200015:test surname:/home/test:/bin/sh
++++++++++++

my sssd file looks like below. The point here to note is the communication is happening with tls and cert file is provided /etc/ipa/ca.crt thats why I also mentioned it in grafana.ini as root_ca_cert.

++++++++++++
[domain/data.mmi]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = data.mmi
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = grafana1.data.mmi
chpass_provider = ipa
dyndns_update = True
ipa_server = srv, mmi-vkb001.data.mmi, mmi-vkb002.data.mmi
dyndns_iface = eth0
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
++++++++++++

mridul0709 · May 21, 2020, 11:22am

I am able to connect cockroachDB with grafana with below configuration file for datasource and put into /etc/grafana/provisioning/datasource/

apiVersion: 1

datasources:
  - name: Cockroachdb
    type: postgres
    url: <cockroach haproxy node>:26257
    database: <db name in CockroachDB>
    user: <user name in CockroachDB>
    secureJsonData:
      password: "<passwod of user in CockroachDB>"
      tlsCACert: "<cockroach CA public key path"
      tlsClientCert: "<CockroachDB client public key path>"
      tlsClientKey: "<CockroachDB client private key path>"
    jsonData:
      sslmode: "require" # disable/require/verify-ca/verify-full

      maxOpenConns: 0         # Grafana v5.4+
      maxIdleConns: 2         # Grafana v5.4+
      connMaxLifetime: 14400  # Grafana v5.4+
      postgresVersion: 903 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
      timescaledb: false

Also grafana with ldap(s) worked for me below is the config ldap.toml

host = "xxx.xxx.xxx"
port = 636
use_ssl = true
ssl_skip_verify = true
root_ca_cert = "/etc/ipa/ca.crt"
bind_dn = "uid=admin,cn=users,cn=accounts,dc=xxx,dc=xxx"
bind_password = 'xxxx'
search_filter = "(uid=%s)"

We are good to close this post.

moudadi2020 · January 3, 2022, 1:59pm

Hello All ,
I have the same error when i try to connect to ldap with admin :
lvl=info msg=“LDAP enabled, reading config file” logger=ldap file=/etc/grafana/ldap.toml
t=2022-01-03T14:52:54+0100 lvl=eror msg=“Cannot authenticate admin user in LDAP” logger=ldap error=“invalid username or password”
t=2022-01-03T14:52:54+0100 lvl=eror msg=“No user was found in the LDAP server(s) with that username” logger=context userId=1 orgId=1 uname=admin error=“invalid username or password” remote_addr=X.X.X.X
t=2022-01-03T14:52:54+0100 lvl=info msg=“Request Completed” logger=context userId=1 orgId=1 uname=admin method=GET path=/api/admin/ldap/admin status=404 remote_addr=X.X.X.X time_ms=136 size=72 referer=http://myserver:3000/admin/ldap

this my config :

[[servers]]

Ldap server host (specify multiple hosts space separated)

host = “myldap_server.com”

Default port is 389 or 636 if use_ssl = true

port = 10389

Set to true if ldap server supports TLS

use_ssl = false

set to true if you want to skip ssl cert validation

ssl_skip_verify = false

Search user bind dn

bind_dn = “uid=admin,cn=systeme,dc=example,dc=com”

Search user bind password

bind_password = ‘password’

search_filter = “(uid=%s)”

An array of base dns to search through

search_base_dns = [“dc=example,dc=com”]

Specify names of the ldap attributes your ldap uses

[servers.attributes]
name = “displayName”
surname = “sn”
username = “cn”

Could someone please help me ?