LDAP single bind

silingoro · May 10, 2022, 7:27am

I didn’t get it working, here is the message. Not sure if it is ldap issue, AD issue or binding issue.

t=2022-05-10T15:15:05+0800 lvl=eror msg=“Cannot bind user cn=jungunkim,dc=nk,dc=acme,dc=com with LDAP” logger=ldap error=“invalid username or password”
t=2022-05-10T15:15:05+0800 lvl=eror msg=“Invalid username or password” logger=context userId=0 orgId=0 uname= error=“invalid username or password” remote_addr=10.0.0.1

Here is the configuration in ldap.toml
[[servers]]

host = “ldaps.nk.acme.com”
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true
bind_dn = “cn=%s,dc=nk,dc=acme,dc=com”

search_filter = “(sAMAccountName=%s)”
search_base_dns = [“dc=nk,dc=acme,dc=com”]
group_search_base_dns = [“dc=nk,dc=acme,dc=com”]

[servers.attributes]
username = “sAMAccountName”
member_of = “memberOf”
email = “mail”
name = “displayName”

Matt · May 10, 2022, 4:44pm

Have you tried search_filter = “(cn=%s)” instead of search_filter = “(sAMAccountName=%s)”?

mburdynski · May 16, 2022, 8:01am

Hi,

for AD you have to set bind_dn as below:
bind_dn = “yourdomain\%s”

in your example it will be “nk\%s” i think.
its not easy to find in Documentation but i found it on some Group and it helps for me.

search_filter = “(sAMAccountName=%s)” is ok,
group_search_base_dns i didn’t use.

Best regards!

silingoro · May 23, 2022, 7:57am

I tried both ways as suggested but it is not working?
I think my AD does not support simple bind / single bind. But I am not sure. Is there a way we can check?

Matt · May 31, 2022, 3:55pm

I think my AD does not support simple bind / single bind. But I am not sure. Is there a way we can check?

What do your logs say?

silingoro · June 10, 2022, 8:50am

t=2022-06-10T16:45:29+0800 lvl=info msg=“LDAP enabled, reading config file” logger=ldap file=/etc/grafana/ldap.toml
t=2022-06-10T16:45:29+0800 lvl=eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“Failed to get LDAP config: Failed to load LDAP config file: Near line 8 (last key parsed ‘servers.bind_dn’): invalid escape character ‘c’; only the following escape characters are allowed: \b, \t, \n, \f, \r, \”, \\, \uXXXX, and \UXXXXXXXX" remote_addr=10.0.0.1
t=2022-06-10T16:45:29+0800 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=10.0.0.1 time_ms=19 size=53 referer=http://grafana.nk.acme.com:3000/login
t=2022-06-10T16:45:38+0800 lvl=info msg=“LDAP enabled, reading config file” logger=ldap file=/etc/grafana/ldap.toml
t=2022-06-10T16:45:38+0800 lvl=eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“Failed to get LDAP config: Failed to load LDAP config file: Near line 8 (last key parsed ‘servers.bind_dn’): invalid escape character ‘c’; only the following escape characters are allowed: \b, \t, \n, \f, \r, \”, \\, \uXXXX, and \UXXXXXXXX" remote_addr=10.0.0.1
t=2022-06-10T16:45:38+0800 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=10.0.0.1 time_ms=16 size=53 referer=http://grafana.nk.acme.com:3000/login

Matt · June 10, 2022, 5:48pm

Failed to get LDAP config: Failed to load LDAP config file: Near line 8 (last key parsed ‘servers.bind_dn’): invalid escape character ‘c’; only the following escape characters are allowed: \b, \t, \n, \f, \r, \”, \, \uXXXX, and \UXXXXXXXX"