Hi, We’ve been running grafana-4.4.1-1.x86_64 for a while without any problems.
A new user tried to access it but the LDAP verification ABEND. We figured out that it was because
the distinguishedName of that user had parenthesis in it.
Example:
CN=Hudon Gervais (system programmer)
We did some tests and it is really the closing parenthesis that causes the problem. There
might be another way to config LDAP to avoid that problem so our parms are
following…
SYSLOG without closing parenthesis.
t=2017-09-27T09:05:49-0400 lvl=info msg=“Searching for
user’s groups” logger=ldap filter="(member:1.2.840.113556.1.4.1941:=CN=Hudon
Jonathan \28Privil\c3\a8ges
sp\c3\a9ciaux,OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com)"
t=2017-09-27T09:05:49-0400
lvl=dbug msg=“Scheduling update” logger=alerting.scheduler
ruleCount=0
t=2017-09-27T09:05:49-0400
lvl=dbug msg=“Ldap User found” logger=ldap
info="(*login.LdapUserInfo)(0xc4200fce70)({\n DN: (string) (len=103)
“CN=Hudon Jonathan (Privilèges
spéciaux,OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com”,\n
FirstName: (string) (len=8) “Jonathan”,\n LastName: (string)
(len=5) “Hudon”,\n Username: (string) (len=37) “Hudon
Jonathan (Privilèges spéciaux”,\n Email: (string) (len=30) "HUDONJO3@le500.cie-name.com",\n
MemberOf: ([]string) (len=1 cap=1) {\n
(string) (len=97)
“CN=R_TA_GRAFANA_MODIF,OU=TA,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”\n
}\n})\n"
t=2017-09-27T09:05:59-0400
lvl=dbug msg=“Scheduling update” logger=alerting.scheduler
ruleCount=0
SYSLOG with closing parenthesis.
t=2017-09-27T08:27:59-0400
lvl=info msg=“Searching for user’s groups” logger=ldap
filter="(member:1.2.840.113556.1.4.1941:=CN=Hudon Jonathan
\28Privil\c3\a8ges sp
\c3\a9ciaux\29,OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com)"
t=2017-09-27T08:27:59-0400 lvl=dbug msg=“Ldap User
found” logger=ldap info="(*login.LdapUserInfo)(0xc42016e930)({\n DN:
(string) (len=104) “CN=Hudon Jonathan (Privilèges spéciaux),OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com”,\n
FirstName: (string) (len=8) “Jonathan”,\n LastName: (string)
(len=5) “Hudon”,
\n
Username: (string) (len=38) “Hudon Jonathan (Privilèges
spéciaux)”,\n Email: (string) (len=30) "HUDONJO3@le500.cie-name.com",\n
MemberOf: ([]string) (len=1
cap=1) {\n (string) (len=97)
“CN=R_TA_GRAFANA_MODIF,OU=TA,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”\n
}\n})\n"
t=2017-09-27T08:27:59-0400
lvl=eror msg=“Error while trying to authenticate user” logger=context
userId=0 orgId=0 uname= error=“UNIQUE constraint failed: user.email”
t=2017-09-27T08:27:59-0400
lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0
uname= method=POST path=/login status=500 remote_addr=10.8.64.81 time_ms=
48 size=53
referer=https://grafana-2.cie-name.com/login
Our Grafana’s LDAP Config:
Set to
true to log user information returned from LDAP
verbose_logging
= true
[[servers]]
Ldap
server host (specify multiple hosts space separated)
host =
“krb.le500.cie-name.com”
Default
port is 389 or 636 if use_ssl = true
port = 389
Set to
true if ldap server supports TLS
use_ssl =
false
set to
true if you want to skip ssl cert validation
ssl_skip_verify
= false
set to
the path to your root CA certificate or leave unset to use system defaults
root_ca_cert = /path/to/certificate.crt
Search user bind dn
bind_dn = “cn=LDAPUSR,ou=SA_CORPO,ou=ServiceAccounts,dc=le500,dc=cie-name,dc=com”
Search
user bind password
bind_password
= ‘BlaBlaBla’
User
search filter, for example “(cn=%s)” or
"(sAMAccountName=%s)" or “(uid=%s)”
search_filter
= “(sAMAccountName=%s)”
An array
of base dns to search through
search_base_dns
= [“dc=le500,dc=cie-name,dc=com”]
In POSIX
LDAP schemas, without memberOf attribute a secondary query must be made for
groups.
This is
done by enabling group_search_filter below. You must also set member_of=
“cn”
in
[servers.attributes] below.
Users
with nested/recursive group membership and an LDAP server that supports
LDAP_MATCHING_RULE_IN_CHAIN
can set
group_search_filter, group_search_filter_user_attribute, group_search_base_dns
and member_of
below in
such a way that the user’s recursive group membership is considered.
Nested
Groups + Active Directory (AD) Example:
AD groups store the Distinguished Names
(DNs) of members, so your filter must
recursively search your groups for the
authenticating user’s DN. For example:
group_search_filter =
“(member:1.2.840.113556.1.4.1941:=%s)”
group_search_filter_user_attribute =
“distinguishedName”
group_search_base_dns =
[“ou=groups,dc=grafana,dc=org”]
[servers.attributes]
…
member_of = “distinguishedName”
Group
search filter, to retrieve the groups of which the user is a member (only set
if memberOf attribute is not available)
group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”
Group
search filter user attribute defines what user attribute gets substituted for
%s in group_search_filter.
Defaults
to the value of username in [server.attributes]
Valid
options are any of your values in [servers.attributes]
If you
are using nested groups you probably want to set this and member_of in
[servers.attributes] to “distinguishedName”
group_search_filter_user_attribute = “distinguishedName”
An array
of the base DNs to search through for groups. Typically uses ou=groups
group_search_filter
= “(member:1.2.840.113556.1.4.1941:=%s)”
group_search_filter_user_attribute
= “distinguishedName”
group_search_base_dns =
[“OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,dc=le500,dc=cie-name,dc=com”]
Specify
names of the ldap attributes your ldap uses
[servers.attributes]
name =
“givenName”
surname =
“sn”
username =
“cn”
member_of =
“distinguishedName”
email
= “altSecurityIdentities”
The
Grafana organization database id, optional, if left out the default org (id 1)
will be used
org_id =
1
Map ldap
groups to grafana org roles
[[servers.group_mappings]]
group_dn =
“CN=R_PO_GRAFANA_ADMIN,OU=PO,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”
org_role =
“Admin”
[[servers.group_mappings]]
group_dn =
“CN=R_PO_GRAFANA_MODIF,OU=PO,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”
org_role =
“Editor”
[[servers.group_mappings]]
If you
want to match all (or no ldap groups) then you can use wildcard
group_dn =
"*"
org_role =
“Read Only Editor”