LDAP error 200: too many colons in address?

So I’m trying to configure LDAP and am getting this when I restart and try to log in:

Result Code 200 “Network Error”: dial tcp: address ldap://10.35.33.13:389: too many colons in address"

I’ve never seen this before, and am not adding a colon at the end of my LDAP, it appears to be done by grafana.

Here is the relevant section of my ldap.toml:

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "ldap://10.35.33.13"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true

Please remove ldap:// from host configuration. Please follow documentation.

I did follow the documentation.

I have ldap enabled. If I don’t use LDAP:// in front I get bind errors whether I use a bind user or cn=%s.

I have removed it again and am now getting bind errors. And logins show a 401 unauthorized. I’m using the same information I use for our DCIM which works fine. Give me a bit and I will append my full ldap.toml.

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
#[log]
#filters = ldap:debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "10.35.33.13"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upg$
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=grafanabind,dc=XXX,dc=epiqcorp,dc=XXX"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = "XXXXX"

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["dc=amer,dc=epiqcorp,dc=com"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below set$
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=GG-Grafana-Admin,o=Grafana,dc=XXXX,dc=XXXX,dc=XXXX"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "cn=GG-Grafana-Editor,o=Grafana,dc=XXXX,dc=XXXX,dc=XXXX"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "cn=GG-Grafana,o=Grafana,dc=XXXX,dc=XXXX,dc=XXXX"
org_role = "Viewer"

Using the above consistently gives a 401 unauthorized, and bind errors in logs.

You’re LDAP server is Active Directory? According to our example you should use a bind_password, only bind_dn like

bind_dn = "CORP\\%s"

where CORP is your domain.

For further help please enable debug logging for ldap using

[log]
filters = ldap:debug

Then include interesting grafana server log here (remove any sensitive information).