LDAP authentication not working

Grafana Configuration
,
1
  • What Grafana version and what operating system are you using?
    Version 12.0.0.
  • What are you trying to achieve?
    Set up LDAP.
  • How are you trying to achieve it?
    As per documentation – adjusting ldap.toml and enabling LDAP in grafana.ini.
  • What happened?
    Test user mapping always results in “No user was found in the LDAP server(s) with that username” error. Trying to log in results in “Invalid username or password” error.
  • What did you expect to happen?
    Successful test and login.
  • Can you copy/paste the configuration(s) that you are having problems with?
    /etc/grafana/ldap.toml
[[servers]]
host = "server-name.domain.name.tld"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false

bind_dn = "ldap.account@domain.name.tld"
bind_password = '$__env{LDAP_BIND_PASSWORD}'

timeout = 10

search_filter = "(sAMAccountName=%s)"

search_base_dns = ["dc=domain,dc=name,dc=tld"]

[servers.attributes]
name      = "givenName"
surname   = "sn"
username  = "sAMAccountName"
member_of = "memberOf"
email     = "mail"

[[servers.group_mappings]]
group_dn = "cn=user-group,ou=OU2,ou=OU1,dc=domain,dc=name,dc=tld"
org_role = "Admin"
grafana_admin = true

/etc/grafana/grafana.ini

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    No error, just this:
    logger=ldap t=2025-05-14T15:03:15.096078769+02:00 level=debug msg="LDAP SearchRequest" searchRequest="&{BaseDN:dc=domain,dc=name,dc=tld Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(|(sAMAccountName=user.name)) Attributes:[sAMAccountName sn mail givenName memberOf] Controls:[]}\n"
  • Did you follow any online instructions? If so, what is the URL?
    Just the offical docs.

The things I have tried:

  • adjust bind_dn with DistinguishedName and with domain\\ldap.account,
  • setting password in plaintext directly in the config,
  • removing [[servers.group_mappings]],
  • adjusting search_filter,
  • changing to port 389 and use_ssl = false,
  • ssl_skip_verify = true,
  • running a test with ldapsearch → this was successful.

The only thing that caught my eye is the mismatch between the filter in the config and the one reported in the logs:
search_filter = "(sAMAccountName=%s)"
Filter:(|(sAMAccountName=user.name))

Why is there an extra set of brackets with OR operator?

2

Well, it solved itself? I set the password in plain text directly in the config again and now it’s working. I have no clue why, because when I tested with a wrong password, at least I got an error that the provided LDAP account credentials were wrong, so it couldn’t have been that I simply managed to copy/paste the password incorrectly during my testing.