Looking to see if there’s anyone with some ideas about a problem we’ve got that’s becoming more of an issue.
Setup here is that we’ve got Grafana instances (v4.2.0 at the moment) that are using MySQL as their backend database (instead of the budled SQLite) and that MySQL is a clustered one (NDBCLUSTER table type). User authentication is being done against our LDAP/AD setup
This arrangement seems to work fine with one drawback. On occasion a user will try to log in, but will then be told that they are “unauthorised”. When someone else checks, the user account is still there, but if that account is then deleted, the user can then login as normal. Although we’ve then got a reassign any admin rights, etc.
We can’t see any errors in MySQL, and if there were it’d be a subtle issue for just one row in a table to become corrupted.
Has anyone out there in Grafana-land seen something similar, or should I just go ahead and log an issue?
Hello Torkel, sorry for the delay but we were trying to get a handle on when this was happening and trying to get a process that can consistently cause the problem.
We’ve managed it now and it looks like it definitely isn’t a problem with Grafana, but more to do with LDAP integration.
Basically we’d got LDAP users that were in more than one Grafana “org” - or at least that was our intention. When they log in periodically Grafana/LDAP is doing a lookup and then setting them in the first Grafana org that they match and removing them from all others.
Our local LDAP experts are recommending strongly that we just downgrade LDAP to providing user account authentication and make no attempt to map any LDAP groups to Grafana orgs.
Quite happy to chalk this one up to “daft user who should have RTFM’d”.
