Hello Team,
We have installed Grafana-Loki using Helm Chart (version 2.10.1), and it works fine.
While upgrading the chart to implement LDAP authentication, by updating values as below, it gives an error. Can you please help triage this error?
grafana:
enabled: true
logLevel: debug
adminPassword: <REDACTED> # Change this to a secure password
ldap:
enabled: true
existingSecret: grafana-ldap
Hello @barkathm i would love to help you solve youre LDAP issues.
We will need a little more information however.
Can you provide a slightly sanitized version of youre existing secret? i will spin up a test instance of grafana in my kubernetes cluster that uses LDAP rather than OAuth2 for authentication.
From looking at the logs you have posted however it seems like it might be a simple authentication issue against the domain.
Thank you, @briangates, for extending your support to look into these issues.
Below is the ldap-config using which a secret (grafana-ldap) has been created:
[log]
filters = ldap:debug
[[servers]]
host = "test.div.com"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = true
bind_dn = "cn=ldapuser,ou=Users,ou=PTL,ou=Divisions,dc=test,dc=div,dc=com"
bind_password = "REDACTED"
timeout = 10
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
search_filter = ""
# An array of base dns to search through
search_base_dns = ["ou=Users,ou=PTL,ou=Divisions,dc=test,dc=div,dc=com"]
# Specify names of the LDAP attributes your LDAP uses
[servers.attributes]
name = "displayName"
email = "mail"
username = "sAMAccountName"
member_of = "member"
Base DN for Search: Your search_base_dns is set to ["ou=Users,ou=PTL,ou=Divisions,dc=test,dc=div,dc=com"]. Ensure this DN accurately reflects the structure of your LDAP directory for finding users.
LDAP Attributes: Your configuration of LDAP attributes under [servers.attributes] seems appropriate. Just make sure these attribute names (displayName, mail, sAMAccountName, member) are actually used by your LDAP server. Incorrect attribute names will result in failed attempts to retrieve necessary information.
Search Filter: You have left the search_filter attribute empty. This is essential for filtering out user entries. You need to specify a valid LDAP filter here. Depending on what attribute your LDAP uses as a unique identifier for users, common examples include:
For common name: (cn=%s)
For SAM account name (often in Active Directory environments): (sAMAccountName=%s)
For user ID: (uid=%s)
If you want to allow users to log in using either their username or their email, you might use:
The logs indicate that login attempts are failing due to “Invalid username or password” with the specific error “user not found”. This suggests a few potential issues:
Incorrect Credentials: The username and/or password being entered do not match what is expected by the LDAP server. Ensure that users are inputting their credentials correctly.
Search Filter Issue: Since your search_filter was initially left blank in the configuration you showed, Grafana may not be able to construct a proper query to find the user in the LDAP server. As previously mentioned, you need to set this to a correct value based on how users should be able to login (e.g., using their username, email, etc.). For example:
search_filter = "(sAMAccountName=%s)"
This filter will search for users based on their SAM account name. Adjust the attribute to match the identifier used by your LDAP server (like uid, cn, or mail).
3. LDAP Server Configuration: There might be an issue with how the LDAP server is configured in terms of user visibility or permissions. The bind user (bind_dn) must have sufficient privileges to search for other users within the designated search base DN.
4. Network Issues: There could be network issues preventing Grafana from properly communicating with the LDAP server. Since SSL and start TLS configurations can be tricky, make sure that your LDAP server is properly configured to accept SSL connections, and your Grafana server is correctly set up to establish these connections.
5. LDAP Server Availability: Ensure the LDAP server is up and running and that the DNS settings are correctly resolving the LDAP server address (test.div.com). If there are any network firewalls or security groups, verify that they allow traffic on the required port (636 in your case).
To debug this further:
Check that the bind_dn and bind_password are correct.
Verify the LDAP search base and search filter with a tool like ldapsearch to ensure they can indeed locate user entries.
If possible, increase the log verbosity of your LDAP server to get more detailed error messages which might pinpoint the issue.
Test connectivity and credential validation directly from the Grafana host to the LDAP server using command-line tools or scripts to confirm that the basic LDAP operations work as expected.