Trying to configure Grafana with LDAP and nested groups, however not been able to get it working. Users not within a nested group, seems to working perfectly. When trying to authenticate with a user in a nested group e.g. CN=Grafana-Editor,OU=Grafana,OU=Resources,DC=xxx,DC=xxx group, the log simply status that the ldap user is found, outputs all the AD groups and Grafana-Editor is not present and at last the generic error
“DAP Result Code 49 “Invalid Credentials”: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580”
Any input us greatly appreciated.
[[servers]] host = "xxx" port = 3268 use_ssl = false start_tls = false ssl_skip_verify = true bind_dn = "CN=xxx,OU=SA,OU=Accounts,OU=Resources,DC=xxx,DC=xxx" bind_password = 'xxx' search_filter = "(sAMAccountName=%s)" search_base_dns = ["DC=xxx,DC=xxx"] [servers.attributes] name = "givenName" surname = "sn" username = "sAMAccountName" member_of = "memberOf" email = "mail" group_search_filter = "(member:1.2.840.1135126.96.36.1991:=%s)" group_search_filter_user_attribute = "memberOf" group_search_base_dns = ["DC=xxx,DC=xxx"] # Map ldap groups to grafana org roles [[servers.group_mappings]] group_dn = "CN=VFL_IT_OU,OU=Grupper,DC=xxx,DC=xxx" org_role = "Admin" # The Grafana organization database id, optional, if left out the default org (id 1) will be used. Setting this allows for multiple group_dn's to be assigned to the same org_role provided the org_id differs # org_id = 1 [[servers.group_mappings]] group_dn = "CN=Grafana-Editor,OU=Grafana,OU=Resources,DC=xxx,DC=xxx" org_role = "Editor" [[servers.group_mappings]] # If you want to match all (or no ldap groups) then you can use wildcard group_dn = "CN=Grafana-Viewer,OU=Grafana,OU=Resources,DC=xxx,DC=xxx" org_role = "Viewer"