Hi All,
We are using LDAP for authentication which works fine for ordinary users but behaves weird for service accounts in grafana 5 and 6.
Configuration is following - ldap.toml:
search_filter = "(|(uid=%s)(krbprincipalname=%s))"
search_base_dns = ["cn=services,cn=accounts,dc=int,dc=com", "cn=users,cn=accounts,dc=int,dc=com"]
[servers.attributes]
name = "displayName"
surname = "sn"
username = "uid"
member_of = "memberOf"
email = "mail"
If an ordinary user login to Grafana a following records are created in sqlite db:
sqlite> select * from user where id=26;
26|0|ordinary.user|ordinary.user@int.com|Ordinary User|xxx|1|0|0||2019-03-11 12:14:25|2019-03-11 12:14:25|0|2019-03-11 12:14:30
sqlite> select * from user_auth where user_id=26;
24|26|ldap|uid=ordinary.user,cn=users,cn=accounts,dc=int,dc=com|2019-03-11 12:14:25
That’s fine and everything works as expected.
The problem is when a service account (HTTP/jenkins-slave09.int.com@INT.COM) is used.
An empty record is created in table users:
sqlite> select * from user where id=27;
27|0||| ||yyy||1|0|0||2019-03-11 13:22:07|2019-03-11 13:22:07|0|2019-03-11 16:29:35
sqlite> select * from user_auth where user_id=27;
25|27|ldap|krbprincipalname=HTTP/jenkins-slave09.int.com@INT.COM,cn=services,cn=accounts,dc=int,dc=com|2019-03-11 13:22:07
In UI it looks like picture bellow:
Services account have no attributes username and email so I basically understand why an empty record is created but in version 4.x it created user HTTP/jenkins-slave09.int.com@INT.COM with email HTTP/jenkins-slave09.int.com@INT.COM in table user.
So my questions are:
Is that bug or feature in grafana 5 and 6?
Or maybe better could I somehow achieve behaviour seen in version 4?
Best regards,
Vladimir