Hi Grafana folks,

I’m using Grafana version 4.6.3 installed on CentOS 6 machine with LDAP integration.
All users in our company should have Editor role in main (default) org except one group which should be restricted to the main org, and they need access to a dedicated org (org_id=3).

LDAP config in grafana.ini:
#################################### Auth LDAP ##########################
[auth.ldap]
enabled = true
;config_file = /etc/grafana/ldap.toml
;allow_sign_up = true

ldap.toml config file:

Specify names of the ldap attributes your ldap uses

[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email = “mail”

Map ldap groups to grafana org roles

[[servers.group_mappings]]
group_dn = "CN=Grafana-admin,OU=myteam,DC=mycompany,DC=com"
org_role = “Admin”

The Grafana organization database id, optional, if left out the default org (id 1) will be used

#org_id = 1

#excluded group
[[servers.group_mappings]]
group_dn = "CN=Group1,OU=foo,DC=mycompany,DC=com"
org_role = "Editor"
org_id = 3

#All users getting Editor on main Org
[[servers.group_mappings]]
group_dn = "*"
org_role = “Editor”

Now when a user from the excluded group logged in he has access to both main org and dedicated org (org_id=3).

According to the documentation, the first group mapping that is matched will be used for LDAP sync, If you have LDAP users that fit multiple mappings, the topmost mapping in the TOML config will be used.

It seems that this is not the excepted behavior or I misunderstood the documentation above.

How can I achieve the exception group behavior when one group should get only org_id=3 while all the other should have access to org_id=1 ?

Hi,

Please enable verbose logging and check the Grafana server log when a user from the excluded group authenticates. Include the result here for further support.

# Set to true to log user information returned from LDAP
verbose_logging = true

Marcus

I masked some internal details, here you go:

t=2018-01-15T09:11:57-0500 lvl=dbug msg=“Updating last user_seen_at” logger=context userId=22 orgId=1 uname=“USER1 Test Test” user_id=22
t=2018-01-15T09:12:01-0500 lvl=info msg=“Request Completed” logger=context userId=22 orgId=1 uname=“USER1 Test Test” method=GET path=/logout status=302 remote_addr=xxx.xxx.xxx.xxx time_ms=0 size=29 referer=“https://xxxxx.xxx/?orgId=1"
t=2018-01-15T09:12:12-0500 lvl=dbug msg=“Ldap User found” logger=ldap info=”(*login.LdapUserInfo)(0xc420136310)({\n DN: (string) (len=86) “CN=USER1 Test Test,OU=Group1,OU=foo,DC=mycompany,DC=com”,\n FirstName: (string) (len=8) “USER1 Test”,\n LastName: (string) (len=4) “Test”,\n Username: (string) (len=13) “USER1 Test Test”,\n Email: (string) “”,\n MemberOf: ([]string) (len=2 cap=2) {\n (string) (len=87) “CN=Group1,OU=foo,DC=mycompany,DC=com”,\n (string) (len=96) “CN=Group2,OU=bar,OU=blabla1,OU=blabla2,OU=blabla3,OU=mycompany,DC=com”\n }\n})\n"
t=2018-01-15T09:12:12-0500 lvl=dbug msg=“Syncing user info” logger=ldap username=“USER1 Test Test”

I’m guessing that you cannot use the wildcard mapping then, but unsure.

If you delete the user in question from the organizations in grafana and try again are there any difference?

Marcus

Deleting the user didn’t fixed the issue, the next time the user logged in he got 2 organizations.

Do you know if there is any chance I can use regex within the group_dn? or any other way to restrict AD groups?

Thank you for your kind response and help Marcus.