We are using LDAP for authentication which works fine for ordinary users but behaves weird for service accounts in grafana 5 and 6.
Configuration is following - ldap.toml:
search_filter = "(|(uid=%s)(krbprincipalname=%s))" search_base_dns = ["cn=services,cn=accounts,dc=int,dc=com", "cn=users,cn=accounts,dc=int,dc=com"] [servers.attributes] name = "displayName" surname = "sn" username = "uid" member_of = "memberOf" email = "mail"
If an ordinary user login to Grafana a following records are created in sqlite db:
sqlite> select * from user where id=26; email@example.com|Ordinary User|xxx|1|0|0||2019-03-11 12:14:25|2019-03-11 12:14:25|0|2019-03-11 12:14:30 sqlite> select * from user_auth where user_id=26; 24|26|ldap|uid=ordinary.user,cn=users,cn=accounts,dc=int,dc=com|2019-03-11 12:14:25
That’s fine and everything works as expected.
The problem is when a service account (HTTP/jenkins-slave09.int.com@INT.COM) is used.
An empty record is created in table users:
sqlite> select * from user where id=27; 27|0||| ||yyy||1|0|0||2019-03-11 13:22:07|2019-03-11 13:22:07|0|2019-03-11 16:29:35 sqlite> select * from user_auth where user_id=27; 25|27|ldap|krbprincipalname=HTTP/jenkins-slave09.int.com@INT.COM,cn=services,cn=accounts,dc=int,dc=com|2019-03-11 13:22:07
In UI it looks like picture bellow:
Services account have no attributes username and email so I basically understand why an empty record is created but in version 4.x it created user HTTP/jenkins-slave09.int.com@INT.COM with email HTTP/jenkins-slave09.int.com@INT.COM in table user.
So my questions are:
Is that bug or feature in grafana 5 and 6?
Or maybe better could I somehow achieve behaviour seen in version 4?