-
What Grafana version and what operating system are you using?
Version 8.4.4 on Rocky Linux 8.5 Minimal -
What are you trying to achieve?
Logging in via AD authentication -
How are you trying to achieve it?
I’ve enabled LDAP in the grafana.ini file and pointed it at /etc/grafana/ldap.toml
I’ve configured ldap.toml with settings that I believe are correct, based on the Grafana documentation + a bunch of others when that wouldn’t work.
When I define my multiple LDAP groups per documentation, I get the following error.
logger=ldap t=2022-04-14T19:19:10.49-0400 lvl=info msg="LDAP enabled, reading config file" file=/etc/grafana/ldap.toml
logger=context t=2022-04-14T19:19:10.49-0400 lvl=eror msg="Error while trying to authenticate user" error="Failed to get LDAP config: Failed to load LDAP config file: Near line 69 (last key parsed 'servers.group_mappings.group_dn'): Key 'servers.group_mappings.group_dn' has already been defined." remote_addr=MY_IP_ADDRESS
This is my config for searching groups:
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["ou=apps,ou=rule groups,ou=company groups,dc=company,dc=com"]
group_search_filter_user_attribute = "cn"
# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "app_grafana_admin"
org_role = "Admin"
grafana_admin = true
[[servers.group_mappings]]
group_dn = "app_grafana_editor"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "app_grafana_viewer"
org_role = "Viewer"
group_dn = "*"
org_role = "Viewer"
Yes, I’m using a CN for my group name, but that’s after using the DN gave me the same result and I came across the final post on this page:
So I commented out all of the [[servers.group_mappings]], to see if I was at least authenticating correctly and searching AD. It appears I am - with all the groups commented out, I can login just fine (but am a view-only user).
Uncommenting just the Admin role and trying to log in, I see that my user is found and in the list of groups I’m a member of, is the group I’m trying to call out in my .toml file.
Name: (string) (len=14) \"MorsePacific Admin\",\n Groups: ([]string) (len=5 cap=8) {\n (string) (len=77) \"CN=APP_Grafana_Admin,OU=Apps,OU=Rule Groups,OU=Company Groups,DC=company,DC=com\"
The next log line gives me this error:
logger=ldap t=2022-04-14T19:26:26.6-0400 lvl=eror msg="User does not belong in any of the specified LDAP groups" username=morsepacific groups="unsupported value type"
I’m just not sure what I’m missing or doing wrong. It’s probably an obvious one but I’m missing it. Any help would be greatly appreciated!
I’ve pasted my full config file below with sensitive info redacted
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "x.x.x.x"
# Default port is 389 or 636 if use_ssl = true
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false
# Search user bind dn
bind_dn = "COMPANY\\%s"
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"
# An array of base dns to search through
search_base_dns = ["dc=company,dc=com"]
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = "mail"
## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
## An array of the base DNs to search through for groups. Typically uses ou=groups
group_search_base_dns = ["ou=apps,ou=rule groups,ou=company groups,dc=company,dc=com"]
## the %s in the search filter will be replaced with the attribute defined below
group_search_filter_user_attribute = "cn"
# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "app_grafana_admin"
org_role = "Admin"
grafana_admin = true
#[[servers.group_mappings]]
#group_dn = "app_grafana_editor"
#org_role = "Editor"
#[[servers.group_mappings]]
#group_dn = "app_grafana_viewer"
#org_role = "Viewer"
#group_dn = "*"