User can login via LDAP Authentication but Admin role cannot be set for him

Hi All,

I have setup grafana inside docker and have configured LDAP based authentication.
While user is able to login via LDAP, but he is getting only viewer role and not admin role.

Log entries after enabling debug for ldap:
t=2021-03-15T06:37:46+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=10.34.90.123 time_ms=0 size=29 referer=
t=2021-03-15T06:38:02+0000 lvl=dbug msg=“LDAP users found” logger=ldap users="([]*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc000fa8ea0)({\n OAuthToken: (*oauth2.Token)(),\n AuthModule: (string) (len=4) “ldap”,\n AuthId: (string) (len=37) “uid=ppujara,ou=Users,dc=e2open,dc=com”,\n UserId: (int64) 0,\n Email: (string) “”,\n Login: (string) (len=14) “Priyank Pujara”,\n Name: (string) “”,\n Groups: ([]string) {\n },\n OrgRoles: (map[int64]models.RoleType) (len=1) {\n (int64) 1: (models.RoleType) (len=5) “Admin”\n },\n IsGrafanaAdmin: (*bool)(),\n IsDisabled: (bool) false\n })\n}\n"
t=2021-03-15T06:38:02+0000 lvl=info msg=“Successful Login” logger=http.server User=

Please go through below files and help me debug the issue.

I have pasted below

  • Configuration file - defaults.ini and
  • LDAP file ldap.toml
  1. defaults.ini
    #################################### Auth LDAP ###########################
    [auth.ldap]
    enabled = true
    config_file = /etc/grafana/ldap.toml
    allow_sign_up = true

LDAP backround sync (Enterprise only)

At 1 am every day

sync_cron = “0 0 1 * * *”
active_sync_enabled = true

  1. ldap.toml
    [[servers]]

Ldap server host (specify multiple hosts space separated)

host = “ldap1.dev.company.com

Default port is 389 or 636 if use_ssl = true

port = 389

Set to true if ldap server supports TLS

use_ssl = true

Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)

start_tls = true

set to true if you want to skip ssl cert validation

ssl_skip_verify = false

set to the path to your root CA certificate or leave unset to use system defaults

root_ca_cert = “/etc/certs/cacert.pem”

Authentication against LDAP servers requiring client certificates

client_cert = “/path/to/client.crt”

client_key = “/path/to/client.key”

Search user bind dn

bind_dn = “uid=ldap_search2,ou=users,dc=company,dc=com”

Search user bind password

If the password contains # or ; you have to wrap it with triple quotes. Ex “”"#password;"""

bind_password = ‘password’

search_filter = “(uid=%s)”
search_base_dns = [“dc=company,dc=com”]

Specify names of the ldap attributes your ldap uses

[servers.attributes]
name = “User Name”
username = “cn”
#name = “givenName”
#surname = “sn”
#username = “cn”
#member_of = “memberOf”
email = “email”

For Posix or LDAP setups that does not support member_of attribute you can define the below settings

Please check grafana LDAP docs for examples

#group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”
#group_search_base_dns = [“ou=Groups,dc=company,dc=com”]
#group_search_filter_user_attribute = “uid”

[[servers.group_mappings]]
group_dn = “cn=grafana-admin,ou=Groups,dc=company,dc=com”
org_role = “Admin”
grafana_admin = true # Available in Grafana v5.3 and above
org_id = 1

#[[servers.group_mappings]]
#group_dn = “cn=grafana-developers,ou=Groups,dc=company,dc=com”
#org_role = “Editor”

[[servers.group_mappings]]
group_dn = “*”
org_role = “Admin”

Map ldap groups to grafana org roles

#[[servers.group_mappings]]
#group_dn = “cn=admins,ou=groups,dc=grafana,dc=org”
#org_role = “Admin”

To make user an instance admin (Grafana Admin) uncomment line below

grafana_admin = true

The Grafana organization database id, optional, if left out the default org (id 1) will be used

org_id = 1

#[[servers.group_mappings]]
#group_dn = “cn=users,ou=groups,dc=grafana,dc=org”
#org_role = “Editor”

#[[servers.group_mappings]]

If you want to match all (or no ldap groups) then you can use wildcard

#group_dn = “*”
#org_role = “Viewer”