Unable to implement LDAP authentication for Grafana

barkathm · March 29, 2024, 7:01pm

Hello Team,
We have installed Grafana-Loki using Helm Chart (version 2.10.1), and it works fine.
While upgrading the chart to implement LDAP authentication, by updating values as below, it gives an error. Can you please help triage this error?

grafana:
  enabled: true
  logLevel: debug
  adminPassword: <REDACTED>  # Change this to a secure password
  ldap:
    enabled: true
    existingSecret: grafana-ldap

2024-03-26T12:24:40.500973396-06:00 t=2024-03-26T18:24:40+0000 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="user not found" remote_addr=10.42.2.0
2024-03-26T12:24:40.501001149-06:00 t=2024-03-26T18:24:40+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=401 remote_addr=10.42.2.0 time_ms=0 size=42 referer=https://grafana.<REDACTED>/login
2024-03-26T12:24:46.704987434-06:00 t=2024-03-26T18:24:46+0000 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="user not found" remote_addr=10.42.2.0
2024-03-26T12:24:46.705012136-06:00 t=2024-03-26T18:24:46+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=401 remote_addr=10.42.2.0 time_ms=0 size=42 referer=https://grafana.<REDACTED>/login

BTW, with the same config updated in ldap.toml (grafana-ldap secret), it is able to find the users in LDAP.

Please help.

barkathm · April 1, 2024, 7:57pm

Team, please check above issue.

barkathm · April 9, 2024, 9:37pm

Can anyone shed some light on enabling LDAP authentication for Grafana.

barkathm · April 16, 2024, 4:24pm

Team, can anyone please help us with LDAP integration

barkathm · April 24, 2024, 5:54pm

its still an open issue.

bgates · April 24, 2024, 6:39pm

Hello @barkathm i would love to help you solve youre LDAP issues.

We will need a little more information however.

Can you provide a slightly sanitized version of youre existing secret? i will spin up a test instance of grafana in my kubernetes cluster that uses LDAP rather than OAuth2 for authentication.

From looking at the logs you have posted however it seems like it might be a simple authentication issue against the domain.

briangates · April 24, 2024, 6:47pm

I realized i replied originally under my work account, ill be continuing support from this account

barkathm · April 29, 2024, 8:14pm

Thank you, @briangates, for extending your support to look into these issues.
Below is the ldap-config using which a secret (grafana-ldap) has been created:

[log]
filters = ldap:debug
[[servers]]
host = "test.div.com"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true
bind_dn = "cn=ldapuser,ou=Users,ou=PTL,ou=Divisions,dc=test,dc=div,dc=com"
bind_password = "REDACTED"
timeout = 10

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
search_filter = ""

# An array of base dns to search through
search_base_dns = ["ou=Users,ou=PTL,ou=Divisions,dc=test,dc=div,dc=com"]

# Specify names of the LDAP attributes your LDAP uses
[servers.attributes]
name = "displayName"
email =  "mail"
username = "sAMAccountName"
member_of = "member"