LDAP integration

I am using Grafana v5.1.3 and would like to authenticate my users only via Active Directory LDAP

I enabled the option in the grafana.ini file and made the settings in ldap.toml

the grafana.ini file when I leave the allow_sign_up option as “true”
the users can log in normally via LDAP even though they are not
registered in the grafana database. In this case
they are created in the database of grafana automatically as Viewer
users, however, I would like only authentication via LDAP, but that only
those users pre-registered in grafana’s bank would have access. It is possible ?

So I’m trying to change the allow_sign_up option from the one set to “false”. In this case I create the user with the same name in the database of grafana, but this way the users can not login.

This is my ldap.toml file

filters = ldap:debug


host = “myserver.mydomain.com

port = 389

use_ssl = false

start_tls = false

ssl_skip_verify = false

bind_dn = “cn=MyCNName,ou=MyOUName,ou=MyOUName,dc=MydomainName,dc=MydomainName”

bind_password = ‘mypassword’

search_filter = “(sAMAccountName=%s)”

search_base_dns = ["ou=MyOUName,dc=MydomainName,dc= MydomainName "]


name = “givenName”

surname = “sn”

username = “cn”

member_of = “memberOf”

email = “email”

Map ldap groups to grafana org roles


group_dn = "CN= MyCNName,OU= MyOUName,OU= MyCNName,DC= MydomainName,DC= MydomainName "

org_role = “Admin”

The Grafana organization database id, optional, if left out the default org (id 1)

will be used

org_id = 1


group_dn = "CN= MyCNName,OU= MyOUName,OU= MyCNName,DC= MydomainName,DC= MydomainName "

org_role = “Editor”


If you

want to match all (or no ldap groups) then you can use wildcard

group_dn = “*”

org_role = “Viewer”

When you say the grafana username matches their ldap username, do you mean the samaccountname or the cn? Since you have the cn mapped to username it’s going to try to use that to locate the user.