Unable to dial LDAP server, unable to read LDAP response packet: unexpected EOF, network Ok

I am trying to connect to a ldap server.

ldap is activated and ldap.toml file is read, posted below.
I did not find any macthing issue in the community, only some with “unable to dial LDAP server” with network or cert problems, that were clearly stated in the log.

DEBUG activated for ldap.
grafana.log when trying to log in interactively:
DBUG[01-26|07:47:55] unable to dial LDAP server logger=ldap host=172.22.91.102 port=636 error=“unable to read LDAP response packet: unexpected EOF”
t=2021-01-26T07:47:55+0100 lvl=dbug msg=“unable to dial LDAP server” logger=ldap host=172.22.91.102 port=636 error=“unable to read LDAP response packet: unexpected EOF”
EROR[01-26|07:47:55] Error while trying to authenticate user logger=context userId=0 orgId=0 uname= error=“unable to read LDAP response packet: unexpected EOF” remote_addr=192.168.206.4
t=2021-01-26T07:47:55+0100 lvl=eror msg=“Error while trying to authenticate user” logger=context userId=0 orgId=0 uname= error=“unable to read LDAP response packet: unexpected EOF” remote_addr=192.168.206.4
EROR[01-26|07:47:55] Request Completed logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=192.168.206.4 time_ms=94 size=53 referer=https://172.22.91.74:3000/login
t=2021-01-26T07:47:55+0100 lvl=eror msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=192.168.206.4 time_ms=94 size=53 referer=https://172.22.91.74:3000/login

Network is OK:
→ curl -v telnet://172.22.91.102:636

  • Rebuilt URL to: telnet://172.22.91.102:636/
  • Trying 172.22.91.102…
  • TCP_NODELAY set
  • Connected to 172.22.91.102 (172.22.91.102) port 636 (#0)

ldap.toml file:
→ cat /etc/grafana/ldap.toml
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = “172.22.91.102”
# Default port is 389 or 636 if use_ssl = true
port = 636
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = true
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = true
# set to true if you want to skip SSL cert validation
ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = “/path/to/certificate.crt”
# Authentication against LDAP servers requiring client certificates
# client_cert = “/path/to/client.crt”
# client_key = “/path/to/client.key”
# Search user bind dn
bind_dn = “dc=group,dc=corp”
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex “”"#password;"""
#bind_password = ‘grafana’

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"

search_filter = “(cn=%s)”

# An array of base dns to search through

search_base_dns = [“dc=group,dc=corp”]

Hi,

Did you lookup this GitHub issue (not the same issue, but contain working config parameters)

#Set to true to log user information returned from LDAP
verbose_logging = true

[[servers]]
# Ldap server host
host = "ldap.myserver.com"
# Default port is 389 or 636 if use_ssl = true
port = 636
# Set to true if ldap server supports TLS
use_ssl = true
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true

# Search user bind dn
bind_dn = "cn=BindUser,dc=mydc,dc=yourdc,dc=com"
# Search user bind password
bind_password = 'idontknow'

# Search filter, for example "(cn=%s)" or "(sAMAccountName=%s)"
search_filter = "(id=%s)"

# An array of base dns to search through
search_base_dns = ["dc=mydc,dc=yourdc,dc=com"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "cn"
surname = "givenName"
username = "id"
member_of = "memberOf"
email =  "mail"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=mydc,dc=yourdc,dc=com"
org_role = "Admin"
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
#group_dn = "cn=users,dc=grafana,dc=org"
group_dn = "*"
org_role = "Editor"

Reference : LDAP: Cannot connect using LDAPS · Issue #2992 · grafana/grafana · GitHub

Hope it helps.

Good Luck

Solution: switch TLS on with ldaps
In my case, I had to switch TLS and ldaps on via following parameters:
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = true
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false

To find this out, ldapsearch was helpful (in my case the url had to be set with ldaps, so it beca,me clear)

https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html

1 Like