Sorry, I had to add a few spaces in links, this forum doesn’t allow me more than 2 links because of to be my first post.
I’m having problems with LDAP authentication. In the first place I want to say that I’m not de AD admin and my experience with LDAP is low, but I’ve read a lot about that, many guides, and the official documentation, but… I have problems yet.
I’m using Grafana v6.6.2 (3fa63cfc34) on RedHat 7, I need to integrate the Active Directory with Grafana to authentication.
I ask for a user and a password to the AD, the AD team has created 3 groups (admin, editor, and viewer) and they give me the following information:
- Domain: SomeDomain.net
- DNS name: SomeDomain.net
- host (here starting my doubts, they said to me “we have 7 servers for the domain”).
All IP hosts respond successfully to port 636 with telnet.
I have the following ldap.toml:
Ldap server host (specify multiple hosts space separated)
host = “IP1 IP2 IP3 IP4 IP5 IP6 IP7” (before, here I tested with somedomain. net too)
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true
set to the path to your root CA certificate or leave unset to use system defaults
root_ca_cert = “/path/to/certificate.crt”
Search user bind dn
bind_dn = “usr_grafana”
Search user bind password
If the password contains # or ; you have to wrap it with triple quotes. Ex “”"#password;"""
bind_password = “”“K0+?LP2El#x1Aj”""
User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)”
search_filter = “(cn=usr_grafana)” (here I’ve tested with (cn=%s) and (sAMAccountName=%s))
An array of base dns to search through
search_base_dns = [“dc=somedomain,dc=net”]
Specify names of the ldap attributes your ldap uses
name = “givenName”
surname = “sn”
username = “sAMAccountName”
member_of = “memberOf”
email = “email”
Map ldap groups to grafana org roles
group_dn = “CN=GroupGrafana_Admin,CN=Users,dc=somedomain,dc=net”
org_role = “Admin”
The Grafana organization database id, optional, if left out the default org (id 1) will be used
#org_id = 1
group_dn = “CN=GroupGrafana_Editor,CN=Users,dc=somedomain,dc=net”
org_role = “Editor”
If you want to match all (or no ldap groups) then you can use wildcard
group_dn = “CN=GroupGrafana_Viewer,CN=Users,dc=somedomain,dc=net”
org_role = “Viewer”
But when I test from LDAP from Grafana LDAP Dashboard I don’t have good results because I received an error in the terminal.
t=2020-05-26T23:33:04-0500 lvl=eror msg=“Cannot authentificate admin user in LDAP” logger=ldap error=“Invalid Username or Password”
t=2020-05-26T23:33:04-0500 lvl=eror msg=“No user was found in the LDAP server(s) with that username” logger=context userId=1 orgId=1 uname=admin error=“Invalid Username or Password”
I have auth.ldap enabled in my settings.
|auth.ldap | |
|active_sync_enabled | true |
|allow_sign_up | true |
|config_file | /etc/grafana/ldap.toml |
|enabled | true |
|sync_cron | 0 0 1 * * * |
Please, guide me if I really wrong, I’m trying to understand everything but I don’t understand because I can’t connect Grafana with AD for authentication, I will attach the guide that I’m using.