Trouble with AD Authentication using groups

  • What Grafana version and what operating system are you using?
    Version 8.4.4 on Rocky Linux 8.5 Minimal

  • What are you trying to achieve?
    Logging in via AD authentication

  • How are you trying to achieve it?
    I’ve enabled LDAP in the grafana.ini file and pointed it at /etc/grafana/ldap.toml

I’ve configured ldap.toml with settings that I believe are correct, based on the Grafana documentation + a bunch of others when that wouldn’t work.

When I define my multiple LDAP groups per documentation, I get the following error.

logger=ldap t=2022-04-14T19:19:10.49-0400 lvl=info msg="LDAP enabled, reading config file" file=/etc/grafana/ldap.toml
logger=context t=2022-04-14T19:19:10.49-0400 lvl=eror msg="Error while trying to authenticate user" error="Failed to get LDAP config: Failed to load LDAP config file: Near line 69 (last key parsed 'servers.group_mappings.group_dn'): Key 'servers.group_mappings.group_dn' has already been defined." remote_addr=MY_IP_ADDRESS

This is my config for searching groups:

group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["ou=apps,ou=rule groups,ou=company groups,dc=company,dc=com"]
group_search_filter_user_attribute = "cn"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "app_grafana_admin"
org_role = "Admin"
grafana_admin = true


[[servers.group_mappings]]
group_dn = "app_grafana_editor"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "app_grafana_viewer"
org_role = "Viewer"

group_dn = "*"
org_role = "Viewer"

Yes, I’m using a CN for my group name, but that’s after using the DN gave me the same result and I came across the final post on this page:

So I commented out all of the [[servers.group_mappings]], to see if I was at least authenticating correctly and searching AD. It appears I am - with all the groups commented out, I can login just fine (but am a view-only user).

Uncommenting just the Admin role and trying to log in, I see that my user is found and in the list of groups I’m a member of, is the group I’m trying to call out in my .toml file.

Name: (string) (len=14) \"MorsePacific Admin\",\n  Groups: ([]string) (len=5 cap=8) {\n   (string) (len=77) \"CN=APP_Grafana_Admin,OU=Apps,OU=Rule Groups,OU=Company Groups,DC=company,DC=com\"

The next log line gives me this error:

logger=ldap t=2022-04-14T19:26:26.6-0400 lvl=eror msg="User does not belong in any of the specified LDAP groups" username=morsepacific groups="unsupported value type"

I’m just not sure what I’m missing or doing wrong. It’s probably an obvious one but I’m missing it. Any help would be greatly appreciated!

I’ve pasted my full config file below with sensitive info redacted

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "x.x.x.x"
# Default port is 389 or 636 if use_ssl = true
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false


# Search user bind dn
bind_dn = "COMPANY\\%s"

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["dc=company,dc=com"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["ou=apps,ou=rule groups,ou=company groups,dc=company,dc=com"]
## the %s in the search filter will be replaced with the attribute defined below
group_search_filter_user_attribute = "cn"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "app_grafana_admin"
org_role = "Admin"
grafana_admin = true


#[[servers.group_mappings]]
#group_dn = "app_grafana_editor"
#org_role = "Editor"

#[[servers.group_mappings]]
#group_dn = "app_grafana_viewer"
#org_role = "Viewer"

#group_dn = "*"

@morsepacific I usually recommend enabling debug logging, it should give you some visibility into what information grafana is receiving in the authentication request to compare against what you’ve configured in ldap.toml. It looks like you might have already done this. It is a good idea to start with just a single group and work from there.

Have you tried changing the case to match what is returned:

in your log message:
"CN=APP_Grafana_Admin,OU=Apps,OU=Rule Groups,OU=Company Groups,DC=company,DC=com\

config file:

[[servers.group_mappings]]
group_dn = "app_grafana_admin"
org_role = "Admin"

Thanks @melori.arellano
I’d been using the debug logging for the errors I posted originally, but couldn’t make sense of them. It seems I was a bit off everywhere. I had to enable start_tls in order to get the Grafana UI to see an active LDAP connection, but that gave me the ability to more rapidly make changes and test.

I had to go back to a defined bind_password, and then change the case based on what was returned. I originally had everything set case sensitive, but changed all to lowercase as part of troubleshooting. It looks like everything is now working well.

1 Like