Ldap configuration problem with uniqueMember attribute

Grafana Configuration
1

Hi,

I’m trying to configure Grafana to work with my LDAP configuration but it seems that i have a configuration problem because the group_search_filter_user_attribute is not replacing the %s value.

So, here is my ldap.toml configuration :

[[servers]]
host = “ldap.server.local”
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = “uid=ldapuser,ou=users,o=ldap-services,dc=organisation,dc=com”
bind_password = ‘password’
search_filter = “(uid=%s)”
search_base_dns = [“ou=users,dc=organisation,dc=com”]
group_search_filter = “(&(objectClass=groupOfUniqueNames)(uniqueMember=%s))”
group_search_filter_user_attribute = “distinguishedName”
group_search_base_dns = [“ou=grafana,ou=applications,dc=organisation,dc=com”]
[servers.attributes]
name = “givenName”
surname = “sn”
username = “uid”
member_of = “uniqueMember”
email = “mail”
[[servers.group_mappings]]
group_dn = “cn=admin,ou=grafana,ou=applications,dc=organisation,dc=com”
org_role = “Admin”
[[servers.group_mappings]]
group_dn = “cn=editor,ou=grafana,ou=applications,dc=organisation,dc=com”
org_role = “Editor”
[[servers.group_mappings]]
group_dn = “cn=viewer,ou=grafana,ou=applications,dc=organisation,dc=com”
org_role = “Viewer”

my Ldap groups have the attribute uniqueMember with the users DN attribute value. So i want the %s value to be replaced by the user DN.

Unfortunately, that’s doesn’t work because when the group_search_filter_user_attribute is set, i see in my ldap logs that the %s value is empty : filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=))"

When i comment the group_search_filter_user_attribute line, i see that the %s value is well replaced with the username attribute : filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=testuser))"

So, i think i’m missing something but i can’t figure what is it…

I’ve turned on the debug on my grafana server so here is the log :
t=2018-04-16T13:35:53+0200 lvl=info msg=“Searching for user’s groups” logger=ldap filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=))"
t=2018-04-16T13:35:53+0200 lvl=dbug msg=“Ldap User found” logger=ldap info="(*login.LdapUserInfo)(0xc420342850)({\n DN: (string) (len=58) “uid=testuser,ou=users,dc=organisation,dc=com”,\n FirstName: (string) (len=7) “test”,\n LastName: (string) (len=7) “user”,\n Username: (string) (len=8) “testuser”,\n Email: (string) (len=32) "testuser@organisation.com",\n MemberOf: ([]string) \n})\n"
t=2018-04-16T13:35:53+0200 lvl=info msg=“Ldap Auth: user does not belong in any of the specified ldap groups” logger=ldap username=testuser groups=[]
t=2018-04-16T13:35:53+0200 lvl=eror msg=“Invalid username or password” logger=context userId=0 orgId=0 uname= error=“Invalid Username or Password”

And here is my ldap logs too :

Apr 16 13:38:51 ldap slapd[790]: conn=506137 fd=92 ACCEPT from IP=10.10.10.10:37978 (IP=0.0.0.0:389)
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=0 BIND dn=“uid=ldapuser,ou=users,o=ldap-services,dc=organisation,dc=com” method=128
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=0 BIND dn=“uid=ldapuser,ou=users,o=ldap-services,dc=organisation,dc=com” mech=SIMPLE ssf=0
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=0 RESULT tag=97 err=0 text=
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=1 SRCH base=“ou=users,dc=organisation,dc=com” scope=2 deref=0 filter="(uid=testuser)"
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=1 SRCH attr=uid sn mail givenName uniqueMember
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=2 SRCH base=“ou=grafana,ou=applications,dc=organisation,dc=com” scope=2 deref=0 filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=))"
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=2 SRCH attr=uniqueMember
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=3 BIND anonymous mech=implicit ssf=0
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=3 BIND dn=“uid=testuser,ou=users,dc=organisation,dc=com” method=128
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=3 BIND dn=“uid=testuser,ou=users,dc=organisation,dc=com” mech=SIMPLE ssf=0
Apr 16 13:38:51 ldap slapd[790]: conn=506137 op=3 RESULT tag=97 err=0 text=
Apr 16 13:38:51 ldap slapd[790]: conn=506137 fd=92 closed (connection lost)

Thanks a lot for your help

2

only the these ldap attributes are supported:

name = “givenName”
surname = “sn”
username = “uid”
member_of = “uniqueMember”
email = “mail”

These are the ones that will be returned by search. So you must use distinguishedName for one of these properties. This looks like a bug, we should add group_search_filter_user_attribute as a valid attribute as well if it is different from the above attributes.

3

Hi,
thanks for your answer, but i’ve also try thist configuration :

group_search_filter_user_attribute = “surname”
[servers.attributes]
surname = “distinguishedName”

But the %s value still not replaced.
Anyway i’ve also found this https://github.com/grafana/grafana/pull/11150

I think that’s the solution to my problem.