LDAP-based authentication for multiple organizations


I’m running the Grafana 5.0.0 container image from Docker Hub within a Kubernetes (K8s) environment and attempting to enable LDAP-based authentication with the goal of being able to ultimately have a “multi-tenanted” Grafana deployment where each group using Grafana would have their own associated organization within Grafana. Note I’ve overridden the contents of the /etc/grafana/grafana.ini file within the container image with my own version that comes from a Kubernetes config map.

The issue I’m hitting, which is probably due to some basic configuration issues, is with even getting to the point where an LDAP authenticated user can log into the Grafana GUI.

Relevant configuration settings: (at least relevant based on my understanding of the configuration settings)

  • /etc/grafana/grafana.ini
    <NOTE: I’ve tried every reasonable permutations of these settings that I could think of and none of them have worked, I’m representing here the settings as I believe they should be set>

    • app_mode: development
    • security
      • admin_user = [Custom admin user name]
      • admin_password = [Custom admin user password]
    • users
      • allow_sign_up = true
      • allow_org_create = false
      • auto_assign_org = false
    • auth.basic
      • enabled = true
    • auth.ldap
      • enabled = true
      • config_file = /etc/grafana/ldap.toml
      • allow_sign_up = true
  • /etc/grafana/ldap.toml

    • log
      • filters = “ldap.debug”
    • servers
      • host =
      • port = 389
      • SSL disabled (for now)
      • bind_dn = “uid=%s,ou=people,dc=mycompany,dc=com”
      • search_base_dns = [“ou=people,dc=mycompany,dc=com”]
    • And I’ve added the following servers.group_mappings element:
      group_dn = "cn=orgName1,ou=groups,dc=mycompany,dc=com"
      org_role = "Admin"
      org_id = 2
      <NOTE: In some cases I did not have the org_id as part of the mapping but realized then that it was applying the mapping to the default organization which is not what I wanted.>

Issues / Questions

  1. When an LDAP-based user attempts to log into the Grafana GUI, an authentication error is indicated.

However based on the Grafana log file, Grafana has actually successfully bound as the user with my configured LDAP service but is then reporting an error indicating “Cannot remove last organization admin”. The only two log messages I see when attempting to log in as the LDAP user are:

t=2018-03-07T20:34:08+0000 lvl=dbug msg=“Ldap User found” logger=ldap info="(*login.LdapUserInfo)(0xc420297490)({\n DN: (string) (len=40) “uid=bugsbunny,ou=people,dc=oracle,dc=com”,\n FirstName: (string) “”,\n LastName: (string) “”,\n Username: (string) “”,\n Email: (string) “”,\n MemberOf: ([]string) (len=1 cap=1) {\n (string) (len=40) “cn=cne_devops,ou=groups,dc=oracle,dc=com”\n }\n})\n"
t=2018-03-07T20:34:08+0000 lvl=eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“Cannot remove last organization admin”

  1. Do the organizations that are mapped to the LDAP group with which an LDAP-based user is associated need to be created before any user from that group logs in or are they automatically created?

Perhaps a silly question but this wasn’t clear to me from the documentation. I’ve tried my scenario by creating the organization ahead of time and not creating the organization beforehand but ultimately the result is the same. But in any case I’d like to understand the expected flow.

  1. With some permutations of configuration settings, I’m actually seeing a 3rd organization automatically being created after the LDAP-based user attempts to log in. This is on top of the default organization (id: 1) and another organization (name: orgName1, id: 2) I created to represent the LDAP group with which the user is associated based on their LDAP information. Why is this 3rd organization getting created when there is already an organization in place associated with the LDAP group with which the user is associated?

  2. I’ve enabled debug logging for all of Grafana as well as specifically the LDAP module but yet I’m getting almost no logging output, a couple of lines at most. Is there another security related log where the LDAP related logging messages go?



This is a known issue with the current LDAP user sync model that crops up in some scenarios, we are actively working on an updated LDAP integration that will solve this problem and provide a better platform for building new integration features on.

1 Like

@dcech Thanks for the quick reply. A couple of quick questions regarding the updates to the LDAP functionality. 1) Is there a particular timeline for when the updated LDAP functionality will be available? 2) Is there a specific issue associated with the LDAP updates that I can track?