LDAP config problem

Hi, We’ve been running grafana-4.4.1-1.x86_64 for a while without any problems.

A new user tried to access it but the LDAP verification ABEND. We figured out that it was because
the distinguishedName of that user had parenthesis in it.

Example:
CN=Hudon Gervais (system programmer)

We did some tests and it is really the closing parenthesis that causes the problem. There
might be another way to config LDAP to avoid that problem so our parms are
following…

SYSLOG without closing parenthesis.

t=2017-09-27T09:05:49-0400 lvl=info msg=“Searching for
user’s groups” logger=ldap filter="(member:1.2.840.113556.1.4.1941:=CN=Hudon
Jonathan \28Privil\c3\a8ges
sp\c3\a9ciaux,OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com)"

t=2017-09-27T09:05:49-0400
lvl=dbug msg=“Scheduling update” logger=alerting.scheduler
ruleCount=0

t=2017-09-27T09:05:49-0400
lvl=dbug msg=“Ldap User found” logger=ldap
info="(*login.LdapUserInfo)(0xc4200fce70)({\n DN: (string) (len=103)
“CN=Hudon Jonathan (Privilèges
spéciaux,OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com”,\n
FirstName: (string) (len=8) “Jonathan”,\n LastName: (string)
(len=5) “Hudon”,\n Username: (string) (len=37) “Hudon
Jonathan (Privilèges spéciaux”,\n Email: (string) (len=30) "HUDONJO3@le500.cie-name.com",\n
MemberOf: ([]string) (len=1 cap=1) {\n
(string) (len=97)
“CN=R_TA_GRAFANA_MODIF,OU=TA,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”\n
}\n})\n"

t=2017-09-27T09:05:59-0400
lvl=dbug msg=“Scheduling update” logger=alerting.scheduler
ruleCount=0

SYSLOG with closing parenthesis.

t=2017-09-27T08:27:59-0400
lvl=info msg=“Searching for user’s groups” logger=ldap
filter="(member:1.2.840.113556.1.4.1941:=CN=Hudon Jonathan
\28Privil\c3\a8ges sp

\c3\a9ciaux\29,OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com)"

t=2017-09-27T08:27:59-0400 lvl=dbug msg=“Ldap User
found” logger=ldap info="(*login.LdapUserInfo)(0xc42016e930)({\n DN:
(string) (len=104) “CN=Hudon Jonathan (Privilèges spéciaux),OU=SysAdmins,OU=ComptesSpeciaux,DC=le500,DC=cie-name,DC=com”,\n
FirstName: (string) (len=8) “Jonathan”,\n LastName: (string)
(len=5) “Hudon”,

\n
Username: (string) (len=38) “Hudon Jonathan (Privilèges
spéciaux)”,\n Email: (string) (len=30) "HUDONJO3@le500.cie-name.com",\n
MemberOf: ([]string) (len=1

cap=1) {\n (string) (len=97)
“CN=R_TA_GRAFANA_MODIF,OU=TA,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”\n
}\n})\n"

t=2017-09-27T08:27:59-0400
lvl=eror msg=“Error while trying to authenticate user” logger=context
userId=0 orgId=0 uname= error=“UNIQUE constraint failed: user.email”

t=2017-09-27T08:27:59-0400
lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0
uname= method=POST path=/login status=500 remote_addr=10.8.64.81 time_ms=

48 size=53
referer=https://grafana-2.cie-name.com/login

Our Grafana’s LDAP Config:

Set to

true to log user information returned from LDAP

verbose_logging
= true

[[servers]]

Ldap

server host (specify multiple hosts space separated)

host =
krb.le500.cie-name.com

Default

port is 389 or 636 if use_ssl = true

port = 389

Set to

true if ldap server supports TLS

use_ssl =
false

set to

true if you want to skip ssl cert validation

ssl_skip_verify
= false

set to

the path to your root CA certificate or leave unset to use system defaults

root_ca_cert = /path/to/certificate.crt

Search user bind dn

bind_dn = “cn=LDAPUSR,ou=SA_CORPO,ou=ServiceAccounts,dc=le500,dc=cie-name,dc=com”

Search

user bind password

bind_password
= ‘BlaBlaBla’

User

search filter, for example “(cn=%s)” or
"(sAMAccountName=%s)" or “(uid=%s)”

search_filter
= “(sAMAccountName=%s)”

An array

of base dns to search through

search_base_dns
= [“dc=le500,dc=cie-name,dc=com”]

In POSIX

LDAP schemas, without memberOf attribute a secondary query must be made for
groups.

This is

done by enabling group_search_filter below. You must also set member_of=
“cn”

in

[servers.attributes] below.

Users

with nested/recursive group membership and an LDAP server that supports
LDAP_MATCHING_RULE_IN_CHAIN

can set

group_search_filter, group_search_filter_user_attribute, group_search_base_dns
and member_of

below in

such a way that the user’s recursive group membership is considered.

Nested

Groups + Active Directory (AD) Example:

AD groups store the Distinguished Names

(DNs) of members, so your filter must

recursively search your groups for the

authenticating user’s DN. For example:

group_search_filter =

“(member:1.2.840.113556.1.4.1941:=%s)”

group_search_filter_user_attribute =

“distinguishedName”

group_search_base_dns =

[“ou=groups,dc=grafana,dc=org”]

[servers.attributes]

member_of = “distinguishedName”

Group

search filter, to retrieve the groups of which the user is a member (only set
if memberOf attribute is not available)

group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”

Group

search filter user attribute defines what user attribute gets substituted for
%s in group_search_filter.

Defaults

to the value of username in [server.attributes]

Valid

options are any of your values in [servers.attributes]

If you

are using nested groups you probably want to set this and member_of in

[servers.attributes] to “distinguishedName”

group_search_filter_user_attribute = “distinguishedName”

An array

of the base DNs to search through for groups. Typically uses ou=groups

group_search_filter
= “(member:1.2.840.113556.1.4.1941:=%s)”

group_search_filter_user_attribute
= “distinguishedName”

group_search_base_dns =
[“OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,dc=le500,dc=cie-name,dc=com”]

Specify

names of the ldap attributes your ldap uses

[servers.attributes]

name =
“givenName”

surname =
“sn”

username =
“cn”

member_of =
“distinguishedName”

email
= “altSecurityIdentities”

The

Grafana organization database id, optional, if left out the default org (id 1)
will be used

org_id =

1

Map ldap

groups to grafana org roles

[[servers.group_mappings]]

group_dn =
“CN=R_PO_GRAFANA_ADMIN,OU=PO,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”

org_role =
“Admin”

[[servers.group_mappings]]

group_dn =
“CN=R_PO_GRAFANA_MODIF,OU=PO,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com”

org_role =
“Editor”

[[servers.group_mappings]]

If you

want to match all (or no ldap groups) then you can use wildcard

group_dn =
"*"

org_role =
“Read Only Editor”

Sorry for the Bad cut/paste, following our ldap.toml config:

Set to true to log user information returned from LDAP

verbose_logging = true

[[servers]]

Ldap server host (specify multiple hosts space separated)

host = “krb.le500.cie-name.com

Default port is 389 or 636 if use_ssl = true

port = 389

Set to true if ldap server supports TLS

use_ssl = false

set to true if you want to skip ssl cert validation

ssl_skip_verify = false

set to the path to your root CA certificate or leave unset to use system defaults

root_ca_cert = /path/to/certificate.crt

Search user bind dn

bind_dn = “cn=LDAPUSR,ou=SA_CORPO,ou=ServiceAccounts,dc=le500,dc=cie-name,dc=com”

Search user bind password

bind_password = ‘blablabla’

User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)”

search_filter = “(sAMAccountName=%s)”

An array of base dns to search through

search_base_dns = [“dc=le500,dc=cie-name,dc=com”]

In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.

This is done by enabling group_search_filter below. You must also set member_of= “cn”

in [servers.attributes] below.

Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN

can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of

below in such a way that the user’s recursive group membership is considered.

Nested Groups + Active Directory (AD) Example:

AD groups store the Distinguished Names (DNs) of members, so your filter must

recursively search your groups for the authenticating user’s DN. For example:

group_search_filter = “(member:1.2.840.113556.1.4.1941:=%s)”

group_search_filter_user_attribute = “distinguishedName”

group_search_base_dns = [“ou=groups,dc=grafana,dc=org”]

[servers.attributes]

member_of = “distinguishedName”

Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)

group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”

Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.

Defaults to the value of username in [server.attributes]

Valid options are any of your values in [servers.attributes]

If you are using nested groups you probably want to set this and member_of in

[servers.attributes] to “distinguishedName”

group_search_filter_user_attribute = “distinguishedName”

An array of the base DNs to search through for groups. Typically uses ou=groups

group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
group_search_filter_user_attribute = "distinguishedName"
group_search_base_dns = [“OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,dc=le500,dc=cie-name,dc=com”]

Specify names of the ldap attributes your ldap uses

[servers.attributes]

name = "givenName"
surname = "sn"
username = "cn"
member_of = "distinguishedName"
email = “altSecurityIdentities”

The Grafana organization database id, optional, if left out the default org (id 1) will be used

org_id = 1

Map ldap groups to grafana org roles

[[servers.group_mappings]]
group_dn = "CN=R_PO_GRAFANA_ADMIN,OU=PO,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com"
org_role = “Admin”

[[servers.group_mappings]]
group_dn = "CN=R_PO_GRAFANA_MODIF,OU=PO,OU=GRAFANA,OU=SG_APPS,OU=ServiceGroups,DC=le500,DC=cie-name,DC=com"
org_role = “Editor”

[[servers.group_mappings]]

If you want to match all (or no ldap groups) then you can use wildcard

group_dn = "*"
org_role = “Read Only Editor”

I’m not used to using this forum so I might had put it in the wrong place since it seems to be a Bug.