Ldap Auth: user does not belong in any of the specified ldap groups

Hi guys,

Would you be so kind to help me with the LDAP authentication in Grafana ?
More specifically, my configuration looks like:

host = "xxx"
port = 636
use_ssl = true
root_ca_cert = "xxx.pem"
bind_dn = "uid=xxx,ou=xxx,dc=xxx,dc=xxx"
bind_password = "xxx"

search_filter = "(uid=%s)"
group_search_filter = "(&(objectClass=posixGroup)(member=%s))" 
group_search_base_dns = ['ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx']

[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "cn" 
email =  "mail"

[[servers.group_mappings]]
group_dn = "cn=grafana,ou=xxx,ou=xxx,ou=xxx,dc=xxx,dc=xxx"
org_role = "Admin"

The logs complain about:

t=2018-01-19T12:40:06+0100 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=xxx time_ms=1 size=29 referer=
t=2018-01-19T12:40:15+0100 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=posixGroup)(member=nskalis))"
t=2018-01-19T12:40:15+0100 lvl=dbug msg="Ldap User found" logger=ldap info="(*login.LdapUserInfo)(0xc4201d0f50)({\n DN: (string) (len=35) \"uid=nskalis,ou=xxx,dc=xxx,dc=xxx\",\n FirstName: (string) (len=5) \"Nikos\",\n LastName: (string) (len=6) \"Skalis\",\n Username: (string) (len=7) \"nskalis\",\n Email: (string) (len=25) \"xxx@xxx\",\n MemberOf: ([]string) <nil>\n})\n"
t=2018-01-19T12:40:15+0100 lvl=info msg="Ldap Auth: user does not belong in any of the specified ldap groups" logger=ldap username=nskalis groups=[]
t=2018-01-19T12:40:15+0100 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="Invalid Username or Password"
t=2018-01-19T12:40:15+0100 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=401 remote_addr=xxx time_ms=128 size=42 referer=http://xxx/login

While I am a member of the grafana LDAP group.

Could you please advise what I am doing wrong ?

The problem seems to be that:

group_search_filter = "(&(objectClass=posixGroup)(member=%s))”

and %s must be the full DN of the user that is a member e.g.

%s = uid=nskalis,ou=xxx,dc=xxx,dc=xxx 

And not just nskalis - the group stores DN’s of members in the member attribute.
In other words, here

t=2018-01-19T12:40:15+0100 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=posixGroup)(member=nskalis))"

Eventually %s needs to be replaced with something that represents the users DN

Niko

I’m struggling for a while to make Grafana LDAP work as I can’t find appropriate search filter. In AD, both groups Grafana-Admin/User have a group as a member and that group have users which need to authenticate to Grafana.
To simplify, my user sys22 is in a group called Graylog, group Graylog is a Member Of group Grafana. And, I want to use group Grafana in LDAP configuration.

verbose_logging = true                                                                                                    
[[servers]]                                                                                                               
host = "dc-01.corp.domain.com"                                                                                           
port = 389                                                                                                                
use_ssl = false                                                                                                           
ssl_skip_verify = true                                                                                                    
                                                                                                                      
bind_dn = "CN=Grafana-Auth,OU=ApplicationAccount,OU=SE,OU=Admin,DC=corp,DC=domain,DC=com"                             
bind_password = 'pass1'                                                                                            
                                                                                                                      
search_filter = "(&(objectCategory=Person)(sAMAccountName=%s)"                                                                  
search_base_dns = ["dc=corp,dc=domain,dc=com"]                                                                              
                                                                                                                      
# group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"                                                        
# group_search_filter_user_attribute = "distinguishedName"                                                            
# group_search_base_dns = 
["OU=Group,OU=SE,OU=Unit,DC=corp,DC=domain,DC=com"]                                           
                                                                                                                      
[servers.attributes]                                                                                                      
name = "givenName"                                                                                                        
surname = "sn"                                                                                                            
username = "sAMAccountName"                                                                                               
member_of = "distinguisedName"                                                                                            
email = "mail"                                                                                                            
                                                                                                                      
[[servers.group_mappings]]                                                                                                
group_dn = "CN=Grafana- 
Admin,OU=Access,OU=Group,OU=SE,OU=Unit,DC=corp,DC=domain,DC=com"                              
org_role = "Admin"                                                                                                        
                                                                                                                      
[[servers.group_mappings]]                                                                                                
group_dn = "CN=Grafana- 
User,OU=Access,OU=Group,OU=SE,OU=Unit,DC=corp,DC=domain,DC=com"                               
org_role = "Editor"                                                                                                       
                                                                                                                      
[[servers.group_mappings]]                                                                                                
group_dn = "*"                                                                                                            
org_role = "Viewer"   

Applying various filters doesn’t help and all the time I am getting

lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 
uname= error="Invalid Username or Password"
t=2018-05-18T08:01:02+0200 lvl=info msg="Request Completed" logger=context 
userId=0 orgId=0 uname= method=POST path=/login status=401 
remote_addr=X.X.X.X time_ms=13 size=98 
referer=http://graylogprod.corp.domain.com/grafana/login

Any advice I’ll much appreciate…

Thank you,
B

Hello,

I am struggling with a similar issue.

  1. First of all I would like to know where is all the Grafana doc, because it is mentioned at several places. I just found: Grafana LDAP doc

  2. Where you able to have users logged in without role? I got the users logged in without any further data (roles, email, …) prior to trying to use [[servers.group_mappings]]

  3. Afterwards the users where not able to login any more.
    I got:

    indent preformatted text by 4 spaces
    “LDAP users found” logger=ldap users=“(*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc00043d680)({\n OAuthToken: (*oauth2.Token)(),\n AuthModule: (string) (len=4) "ldap",\n AuthId: (string) (len=35) "uid=me,ou=People,dc=section,dc=corp",\n UserId: (int64) 0,\n Email: (string) "",\n Login: (string) "",\n Name: (string) "",\n Groups: (string) {\n },\n OrgRoles: (map[int64]models.RoleType) {\n },\n IsGrafanaAdmin: (*bool)(),\n IsDisabled: (bool) true\n })\n}\n”
    eror msg=“User does not belong in any of the specified LDAP groups” logger=ldap username= groups=

Did you all figure this out?