Here is a copy of my ldap.toml file.
To troubleshoot and get more log info enable ldap debug logging in grafana.ini
[log]
filters = ldap:debug
[[servers]]
Ldap server host (specify multiple hosts space separated)
host = “ad-server1 ad-server2”
Default port is 389 or 636 if use_ssl = true
port = 389
Set to true if ldap server supports TLS
use_ssl = false
Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
set to true if you want to skip ssl cert validation
ssl_skip_verify = false
set to the path to your root CA certificate or leave unset to use system defaults
root_ca_cert = /path/to/certificate.crt
Search user bind dn
bind_dn = “CN=srvcldapuser,OU=Service Accounts,OU=Internal,DC=something,DC=contosos,DC=net”
Search user bind password
If the password contains # or ; you have to wrap it with trippel quotes. Ex “”"#password;"""
bind_password = ‘LLjfaSLDfas0e’
User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)”
search_filter = “(sAMAccountName=%s)”
An array of base dns to search through
search_base_dns = [“OU=Users,OU=Internal,DC=something,DC=contoso,DC=net”]
In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
This is done by enabling group_search_filter below. You must also set member_of= “cn”
in [servers.attributes] below.
Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
below in such a way that the user’s recursive group membership is considered.
Nested Groups + Active Directory (AD) Example:
AD groups store the Distinguished Names (DNs) of members, so your filter must
recursively search your groups for the authenticating user’s DN. For example:
group_search_filter = “(member:1.2.840.113556.1.4.1941:=%s)”
group_search_filter_user_attribute = “distinguishedName”
group_search_base_dns = [“ou=groups,dc=grafana,dc=org”]
[servers.attributes]
…
member_of = “distinguishedName”
Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”
Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
Defaults to the value of username in [server.attributes]
Valid options are any of your values in [servers.attributes]
If you are using nested groups you probably want to set this and member_of in
[servers.attributes] to “distinguishedName”
group_search_filter_user_attribute = “distinguishedName”
An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = [“ou=groups,dc=grafana,dc=org”]
Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = “email”
Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "CN=GrafanaAdmins,OU=Groups,OU=Internal,DC=something,DC=contoso,DC=net"
org_role = “Admin”
The Grafana organization database id, optional, if left out the default org (id 1) will be used
org_id = 1
[[servers.group_mappings]]
group_dn = "CN=GrafanaEditors,OU=Groups,OU=Internal,DC=something,DC=contoso,DC=net"
org_role = “Editor”
[[servers.group_mappings]]
If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = “Viewer”
