Hi guys,
Would you be so kind to help me with the LDAP authentication in Grafana ?
More specifically, my configuration looks like:
host = "xxx"
port = 636
use_ssl = true
root_ca_cert = "xxx.pem"
bind_dn = "uid=xxx,ou=xxx,dc=xxx,dc=xxx"
bind_password = "xxx"
search_filter = "(uid=%s)"
group_search_filter = "(&(objectClass=posixGroup)(member=%s))"
group_search_base_dns = ['ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx']
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "cn"
email = "mail"
[[servers.group_mappings]]
group_dn = "cn=grafana,ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx"
org_role = "Admin"
The logs complain about:
t=2018-01-19T12:40:06+0100 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=xxx time_ms=1 size=29 referer=
t=2018-01-19T12:40:15+0100 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=posixGroup)(member=nskalis))"
t=2018-01-19T12:40:15+0100 lvl=dbug msg="Ldap User found" logger=ldap info="(*login.LdapUserInfo)(0xc4201d0f50)({\n DN: (string) (len=35) \"uid=nskalis,ou=xxx,dc=xxx,dc=xxx\",\n FirstName: (string) (len=5) \"Nikos\",\n LastName: (string) (len=6) \"Skalis\",\n Username: (string) (len=7) \"nskalis\",\n Email: (string) (len=25) \"xxx@xxx\",\n MemberOf: ([]string) <nil>\n})\n"
t=2018-01-19T12:40:15+0100 lvl=info msg="Ldap Auth: user does not belong in any of the specified ldap groups" logger=ldap username=nskalis groups=[]
t=2018-01-19T12:40:15+0100 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="Invalid Username or Password"
t=2018-01-19T12:40:15+0100 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=401 remote_addr=xxx time_ms=128 size=42 referer=http://xxx/login
While I am a member of the grafana
LDAP group.
Could you please advise what I am doing wrong ?
The problem seems to be that:
group_search_filter = "(&(objectClass=posixGroup)(member=%s))”
and %s must be the full DN of the user that is a member e.g.
%s = uid=nskalis,ou=xxx,dc=xxx,dc=xxx
And not just nskalis
- the group stores DN’s of members in the member
attribute.
In other words, here
t=2018-01-19T12:40:15+0100 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=posixGroup)(member=nskalis))"
Eventually %s
needs to be replaced with something that represents the users DN
Niko