Ldap with Active Directory

darrellburgher · December 3, 2020, 6:23am

Hi,
I am using kubernetes to deploy grafana v 7.3.4 with all my dashboards. With reference to AD ldap mappings, I have mounted all the correct files in place and it works well. I have one problem with ldap and our active directory server in that only one user can log in to grafana but no one after that. I have also noticed that the ‘Main Org’ which has an id of 1 is the only one I use and in the logs it shows it wants to register the user as user id 0 with org id 0, which does not exist, even though I forced it to always use org id 1. If someone has also experienced this issue could you please help me. Here are my grafanna.ini and ldap,toml files:

grafana.ini: |-
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap/ldap.toml
allow_sign_up = true
auto_assign_org_id = 1
allow_org_create = false
auto_assign_org = true
[analytics]
check_for_updates = true
[grafana_net]
url = https://grafana.net
[log]
mode = console
filters = ldap:debug
[paths]
data = /var/lib/grafana/data
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins

ldap.toml: |-
[[servers]]
host = “ldap.example.com”
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true

bind_dn = "cn=s_ldap_auth_grafana,ou=Generic,ou=ServiceAccounts,ou=Users,ou=Anzo,dc=corp,dc=example,dc=com"
bind_password = 'omitted'
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["OU=Anzo,DC=corp,DC=example,DC=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

darrellburgher · December 4, 2020, 3:31pm

I have finally found out the correct way to do this after playing around with all the different attributes and dn types. Please note this is for Acvtive Directory and has not been tested on any other ldap service. My config for ldap is now as follows:

ldap.toml: |-
[[servers]]
host = “ldap.example.com”
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true

bind_dn = "cn=s_ldap_auth_grafana,ou=Generic,ou=ServiceAccounts,ou=Users,ou=Anzo,dc=corp,dc=example,dc=com"
bind_password = 'ommited'
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["ou=Anzo,dc=corp,dc=example,dc=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "SAMACCOUNTNAME"
member_of = "MEMBEROF"
email =  "mail"

[[servers.group_mappings]]
group_dn = "cn=sec.gg.grafana-admin,ou=Grafana,ou=Applications,ou=Groups,ou=Anzo,dc=corp,dc=example,dc=com"
org_role = "Admin"
grafana_admin = true
org_id = 1

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
org_id = 1

darrellburgher · December 4, 2020, 3:33pm

What made the big difference here was the following:

username = “SAMACCOUNTNAME”
member_of = “MEMBEROF”

I hope this helps someone down the line
Regards

pooh · December 4, 2020, 3:50pm

What made the big difference here was the following:

username = “SAMACCOUNTNAME”
member_of = “MEMBEROF”

Just for clarity, do you mean those as literal strings, or should they be
substituted for appropriate values according to the organisation’s Active
Directory setup?

I hope this helps someone down the line

Very nice - thanks for giving a working example for people to find.

Antony.

darrellburgher · December 4, 2020, 4:32pm

It seems to vary from version to version of AD. ie server 2012 - server 2019
Attributes seems to have changed as minor changes