LDAP/AD nested groups problem

Grafana Configuration
1

Trying to configure Grafana with LDAP and nested groups, however not been able to get it working. Users not within a nested group, seems to working perfectly. When trying to authenticate with a user in a nested group e.g. CN=Grafana-Editor,OU=Grafana,OU=Resources,DC=xxx,DC=xxx group, the log simply status that the ldap user is found, outputs all the AD groups and Grafana-Editor is not present and at last the generic error

“DAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580”

Any input us greatly appreciated.

Grafana v5.2.1
My configuration:

[[servers]]
host = "xxx"
port = 3268
use_ssl = false
start_tls = false
ssl_skip_verify = true
bind_dn = "CN=xxx,OU=SA,OU=Accounts,OU=Resources,DC=xxx,DC=xxx"
bind_password = 'xxx'
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["DC=xxx,DC=xxx"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
group_search_filter_user_attribute = "memberOf"
group_search_base_dns = ["DC=xxx,DC=xxx"]


# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "CN=VFL_IT_OU,OU=Grupper,DC=xxx,DC=xxx"
org_role = "Admin"
# The Grafana organization database id, optional, if left out the default org (id 1) will be used.  Setting this allows for multiple group_dn's to be assigned to the same org_role provided the org_id differs
# org_id = 1

[[servers.group_mappings]]
group_dn = "CN=Grafana-Editor,OU=Grafana,OU=Resources,DC=xxx,DC=xxx"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "CN=Grafana-Viewer,OU=Grafana,OU=Resources,DC=xxx,DC=xxx"
org_role = "Viewer"
2

Please help on this issue @mefraimsson .

Ldap configuration is not working

Below error logs :

EROR[04-22|15:57:34] Error while trying to authenticate user logger=context userId=0 orgId=0 uname= error=“LDAP Result Code 32 "No Such Object": NDS error: no such entry (-601)”
EROR[04-22|15:57:34] Request Completed logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=10.115.127.142 time_ms=1323 size=53 referer=http://10.23.100.28:5000/login

My ldap.toml file
> # To troubleshoot and get more log info enable ldap debug logging in grafana.ini
> # [log]
> # filters = ldap:debug
>
> [[servers]]
> # Ldap server host (specify multiple hosts space separated)
> host = “10.192.120.55”
> # Default port is 389 or 636 if use_ssl = true
> port = 389
> # Set to true if ldap server supports TLS
> use_ssl = true
> # Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
> start_tls = true
> # set to true if you want to skip ssl cert validation
> ssl_skip_verify = true
> # set to the path to your root CA certificate or leave unset to use system defaults
> # root_ca_cert = “/path/to/certificate.crt”
>
> # Search user bind dn
> bind_dn = “cn=%s,ou=users,o=standardchartered”
> # Search user bind password
> # If the password contains # or ; you have to wrap it with triple quotes. Ex “”“#password;”“”
> #bind_password = ‘grafana’
>
> # User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)”
> search_filter = “(cn=%s)”
>
> # An array of base dns to search through
> search_base_dns = [“cn=%s,ou=users,o=standardchartered”]
>
> # In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
> # This is done by enabling group_search_filter below. You must also set member_of= “cn”
> # in [servers.attributes] below.
>
> # Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
> # can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
> # below in such a way that the user’s recursive group membership is considered.
> #
> # Nested Groups + Active Directory (AD) Example:
> #
> # AD groups store the Distinguished Names (DNs) of members, so your filter must
> # recursively search your groups for the authenticating user’s DN. For example:
> #
> # group_search_filter = “(member:1.2.840.113556.1.4.1941:=%s)”
> # group_search_filter_user_attribute = “distinguishedName”
> # group_search_base_dns = [“ou=groups,dc=grafana,dc=org”]
> #
> # [servers.attributes]
> # …
> # member_of = “distinguishedName”
>
> ## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
> # group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”
> ## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
> ## Defaults to the value of username in [server.attributes]
> ## Valid options are any of your values in [servers.attributes]
> ## If you are using nested groups you probably want to set this and member_of in
> ## [servers.attributes] to “distinguishedName”
> # group_search_filter_user_attribute = “distinguishedName”
> ## An array of the base DNs to search through for groups. Typically uses ou=groups
> # group_search_base_dns = [“ou=groups,dc=grafana,dc=org”]
>
> # Specify names of the ldap attributes your ldap uses
> [servers.attributes]
> name = “givenName”
> surname = “sn”
> username = “cn”
> member_of = “memberOf”
> email = “email”
>
> # Map ldap groups to grafana org roles
> [[servers.group_mappings]]
> group_dn = “cn=admins,ou=users,o=standardchartered”
> org_role = “Admin”
> # The Grafana organization database id, optional, if left out the default org (id 1) will be used
> # org_id = 1
>
> [[servers.group_mappings]]
> group_dn = “cn=users,dc=grafana,dc=org”
> org_role = “Editor”
>
> [[servers.group_mappings]]
> # If you want to match all (or no ldap groups) then you can use wildcard
> group_dn = “*”
> org_role = “Viewer”

3

The error says that the configured ldap groups cannot be found. Please use ldapsearch tool or similar to verify what information you get for the user you’re trying to login with. Besides this I can only refer to https://grafana.com/docs/auth/ldap/#openldap since I don’t have any more details about your setup.