LDAP group mappings and Active Directory

hi - I’ve read everything on here, and Ive exhausted Google results. Can someone please advise why my groups mapping does not work? Everyone always ends up getting “*” mapped. This is running against MS AD, Grafana v5.4.3 (6539180) is running dockerised on an Ubuntu 16.04 machine.
I do wish logging was more verbose.

I’ve tested these searches in Apache Directory Studio against the very same LDAP server and they do return users.

This is my ldap.toml
verbose_logging = true

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host="ldap.foo-uk.foo.loc"

# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false

# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = true

# set to true if you want to skip ssl cert validation
ssl_skip_verify = true

root_ca_cert = "/etc/grafana/fooCorporateRootBase-64Encoded.cer"

bind_dn = "FOO-PLC\\%s"

search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["OU=Users,OU=FooPLC,DC=foo-uk,DC=foo,DC=loc"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

[[servers.group_mappings]]
group_dn = "OU=_Env Projects,OU=RSY,OU=End,OU=Users,OU=FooPLC,DC=foo-uk,DC=foo,DC=loc"
org_role = "Admin"
grafana_admin = true 

[[servers.group_mappings]]
#END-RSY Users
group_dn = "CN=END-RSY Users,OU=FooPLC,DC=foo-uk,DC=foo,DC=loc"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

This is the LDAP log snippet:
e [36mgrafana {"file":"/etc/grafana/ldap.toml","logger":"ldap","lvl":"info","msg":"Ldap enabled, reading config file","t":"2019-02-22T14:18:45.8649215Z"}
…
[36mgrafana |[0m {"info":"(*login.LdapUserInfo)(0xc0002d7a40)({\n DN: (string) (len=94) \"CN=Mouse\\\\, Mickey,OU=_Env Projects,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n FirstName: (string) (len=5) \"Mickey\",\n LastName: (string) (len=6) \"Mouse\",\n Username: (string) (len=8) \"MMOUSE\",\n Email: (string) (len=23) \"Mickey_Mouse@foo.co.uk\",\n MemberOf: ([]string) (len=37 cap=64) {\n (string) (len=106) \"CN=APPS-Wibble-KB-Systems,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=101) \"CN=APPS-Wibble-PR-QA,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=97) \"CN=USRS-ITSRDS-RemotingTools,OU=RDS,OU=Groups,OU=Instore 2012R2 Servers,DC=Instore,DC=foo,DC=loc\",\n (string) (len=106) \"CN=APPS-Wibble-ChangeOnly,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=103) \"CN=USRS-ITSRDS-AllowedUserWebLogon,OU=RDS,OU=Groups,OU=Instore 2012R2 Servers,DC=Instore,DC=foo,DC=loc\",\n (string) (len=139) \"CN=END-RSY-STOCK-MAINFRAMEMODERNISATIONTEAM-JAVA-GITREPOSITORIES,OU=_RSY Groups,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=113) \"CN=SMAGRP-MAINFRAMEENVIRONMENT,OU=Access Groups,OU=_SharedMailboxes,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=104) \"CN=SVC-SCCM-RemoteControl,OU=Config Manager Groups,OU=Groups,OU=InstoreSystems,DC=Instore,DC=foo,DC=loc\",\n (string) (len=102) \"CN=USRS-PST-BlockedAccess,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=100) \"CN=USRS-LyncStandard,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=101) \"CN=END-BA-S1 Patching,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=98) \"CN=Web-Infrastructure,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=119) \"CN=END-BA-Systems Project XF0065 Folder,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=119) \"CN=END-BA-Systems Project XF0057 Folder,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=103) \"CN=USRS-RsyIntExpPolicy,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=119) \"CN=END-BA-Systems Project XF0054 Folder,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=93) \"CN=USRS-MQAdmins,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=107) \"CN=USRS-Environmental_Projects,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=117) \"CN=SmaGrp-EnvironmentalProjectsDBA,OU=Access Groups,OU=_SharedMailboxes,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=114) \"CN=END-RSY-EnvironmentalProjects Folder,OU=_RSY Groups,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=124) \"CN=APPS-Infrastructure Database Edit All Assets,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=95) \"CN=USRS-end-idmq01,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=105) \"CN=SmaGrp-SQLServerDBA,OU=Access Groups,OU=_SharedMailboxes,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=110) \"CN=PinsafeCAGEE,OU=_PINsafeGroups,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=97) \"CN=USRS-Openfire,OU=Distribution,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=104) \"CN=APPS-CitrixAccessGateway,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=102) \"CN=Spider-dirsyssuppstock,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=111) \"CN=END-RSY Environment Projects,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=101) \"CN=Spider-eCommerceStats,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=105) \"CN=Spider-eCommerceReporting,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=93) \"CN=Spider-AppDev,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=108) \"CN=\\\\#Playhouse - Brand Sys,OU=Distribution,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=94) \"CN=APPS-Mainframe,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=106) \"CN=APPS-DBSystems ServerAdmin,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=102) \"CN=Spider-AppdevWarehouse,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=98) \"CN=END-RSY-Stock Folder,OU=_RSY Groups,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\",\n (string) (len=96) \"CN=END-RSY Users,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc\"\n }\n})\n","logger":"ldap","lvl":"dbug","msg":"Ldap User found","t":"2019-02-22T14:20:51.9601001Z"}
I think it should match the first groujping shown? (“OU=_Env Projects”)

Hi @simonm99,

I passed the log text through jq to display it more clearly with \n escape sequences decoded to newlines.

[tmp] $ jq -r .info <<EOF
{"info":"[…]","logger":"ldap","lvl":"dbug","msg":"Ldap User found","t":"2019-02-22T14:20:51.9601001Z"}
EOF
(*login.LdapUserInfo)(0xc0002d7a40)({
 DN: (string) (len=94) "CN=Mouse\, Mickey,OU=_Env Projects,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 FirstName: (string) (len=5) "Mickey",
 LastName: (string) (len=6) "Mouse",
 Username: (string) (len=8) "MMOUSE",
 Email: (string) (len=23) "Mickey_Mouse@foo.co.uk",
 MemberOf: ([]string) (len=37 cap=64) {
 (string) (len=106) "CN=APPS-Wibble-KB-Systems,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=101) "CN=APPS-Wibble-PR-QA,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=97) "CN=USRS-ITSRDS-RemotingTools,OU=RDS,OU=Groups,OU=Instore 2012R2 Servers,DC=Instore,DC=foo,DC=loc",
 (string) (len=106) "CN=APPS-Wibble-ChangeOnly,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=103) "CN=USRS-ITSRDS-AllowedUserWebLogon,OU=RDS,OU=Groups,OU=Instore 2012R2 Servers,DC=Instore,DC=foo,DC=loc",
 (string) (len=139) "CN=END-RSY-STOCK-MAINFRAMEMODERNISATIONTEAM-JAVA-GITREPOSITORIES,OU=_RSY Groups,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=113) "CN=SMAGRP-MAINFRAMEENVIRONMENT,OU=Access Groups,OU=_SharedMailboxes,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=104) "CN=SVC-SCCM-RemoteControl,OU=Config Manager Groups,OU=Groups,OU=InstoreSystems,DC=Instore,DC=foo,DC=loc",
 (string) (len=102) "CN=USRS-PST-BlockedAccess,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=100) "CN=USRS-LyncStandard,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=101) "CN=END-BA-S1 Patching,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=98) "CN=Web-Infrastructure,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=119) "CN=END-BA-Systems Project XF0065 Folder,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=119) "CN=END-BA-Systems Project XF0057 Folder,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=103) "CN=USRS-RsyIntExpPolicy,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=119) "CN=END-BA-Systems Project XF0054 Folder,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=93) "CN=USRS-MQAdmins,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=107) "CN=USRS-Environmental_Projects,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=117) "CN=SmaGrp-EnvironmentalProjectsDBA,OU=Access Groups,OU=_SharedMailboxes,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=114) "CN=END-RSY-EnvironmentalProjects Folder,OU=_RSY Groups,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=124) "CN=APPS-Infrastructure Database Edit All Assets,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=95) "CN=USRS-end-idmq01,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=105) "CN=SmaGrp-SQLServerDBA,OU=Access Groups,OU=_SharedMailboxes,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=110) "CN=PinsafeCAGEE,OU=_PINsafeGroups,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=97) "CN=USRS-Openfire,OU=Distribution,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=104) "CN=APPS-CitrixAccessGateway,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=102) "CN=Spider-dirsyssuppstock,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=111) "CN=END-RSY Environment Projects,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=101) "CN=Spider-eCommerceStats,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=105) "CN=Spider-eCommerceReporting,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=93) "CN=Spider-AppDev,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=108) "CN=\#Playhouse - Brand Sys,OU=Distribution,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=94) "CN=APPS-Mainframe,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=106) "CN=APPS-DBSystems ServerAdmin,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=102) "CN=Spider-AppdevWarehouse,OU=Security,OU=_FoopLC Groups,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=98) "CN=END-RSY-Stock Folder,OU=_RSY Groups,OU=RSY,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc",
 (string) (len=96) "CN=END-RSY Users,OU=Security,OU=_End Groups,OU=End,OU=Users,OU=FoopLC,DC=foo-uk,DC=foo,DC=loc"
 }
})

The username ends with OU=_Env Projects,OU=RSY,OU=End,OU=Users,OU=FooPLC,DC=foo-uk,DC=foo,DC=loc but that’s not how matching works. The group_dn is matched against any of the memberOf items. The user is a member of 37 groups and none of them match the group_dn you specified in the group mapping. That is why the wildcard * is used.

thank you, I was unaware of jq and will study this.It certainly makes things clearer.

thank you for spending the time on this, I found that by changing my mappings to exactly match the memberOf it did indeed work. I had not spotted that the DNS entry roles returned for me was not the same thing exactly as that which I needed to search. To assist future readers, paste exactly what you see in the memberOf entry into group_dn in your ldap toml. I had not noticed that my “OU=” returned by LDAP had to be switched to “CN=” to map correctly

Hi @simonm99,

Thank you for posting the outcome, I’m glad to read that it works for you and also happy to bring jq to your attention. We work frequently with JSON in modern IT, so it’s very useful to know this tool

it helped me to find what is wrong on my Ldap configuration. Thanks for Grafana Community