Hi All,
I have setup grafana inside docker and have configured LDAP based authentication.
While user is able to login via LDAP, but he is getting only viewer role and not admin role.
Log entries after enabling debug for ldap:
t=2021-03-15T06:37:46+0000 lvl=info msg=“Request Completed” logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=10.34.90.123 time_ms=0 size=29 referer=
t=2021-03-15T06:38:02+0000 lvl=dbug msg=“LDAP users found” logger=ldap users="([]*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc000fa8ea0)({\n OAuthToken: (*oauth2.Token)(),\n AuthModule: (string) (len=4) “ldap”,\n AuthId: (string) (len=37) “uid=ppujara,ou=Users,dc=e2open,dc=com”,\n UserId: (int64) 0,\n Email: (string) “”,\n Login: (string) (len=14) “Priyank Pujara”,\n Name: (string) “”,\n Groups: ([]string) {\n },\n OrgRoles: (map[int64]models.RoleType) (len=1) {\n (int64) 1: (models.RoleType) (len=5) “Admin”\n },\n IsGrafanaAdmin: (*bool)(),\n IsDisabled: (bool) false\n })\n}\n"
t=2021-03-15T06:38:02+0000 lvl=info msg=“Successful Login” logger=http.server User=
Please go through below files and help me debug the issue.
I have pasted below
- Configuration file - defaults.ini and
- LDAP file ldap.toml
- defaults.ini
#################################### Auth LDAP ###########################
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
LDAP backround sync (Enterprise only)
At 1 am every day
sync_cron = “0 0 1 * * *”
active_sync_enabled = true
- ldap.toml
[[servers]]
Ldap server host (specify multiple hosts space separated)
host = “ldap1.dev.company.com”
Default port is 389 or 636 if use_ssl = true
port = 389
Set to true if ldap server supports TLS
use_ssl = true
Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = true
set to true if you want to skip ssl cert validation
ssl_skip_verify = false
set to the path to your root CA certificate or leave unset to use system defaults
root_ca_cert = “/etc/certs/cacert.pem”
Authentication against LDAP servers requiring client certificates
client_cert = “/path/to/client.crt”
client_key = “/path/to/client.key”
Search user bind dn
bind_dn = “uid=ldap_search2,ou=users,dc=company,dc=com”
Search user bind password
If the password contains # or ; you have to wrap it with triple quotes. Ex “”"#password;"""
bind_password = ‘password’
search_filter = “(uid=%s)”
search_base_dns = [“dc=company,dc=com”]
Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = “User Name”
username = “cn”
#name = “givenName”
#surname = “sn”
#username = “cn”
#member_of = “memberOf”
email = “email”
For Posix or LDAP setups that does not support member_of attribute you can define the below settings
Please check grafana LDAP docs for examples
#group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”
#group_search_base_dns = [“ou=Groups,dc=company,dc=com”]
#group_search_filter_user_attribute = “uid”
[[servers.group_mappings]]
group_dn = “cn=grafana-admin,ou=Groups,dc=company,dc=com”
org_role = “Admin”
grafana_admin = true # Available in Grafana v5.3 and above
org_id = 1
#[[servers.group_mappings]]
#group_dn = “cn=grafana-developers,ou=Groups,dc=company,dc=com”
#org_role = “Editor”
[[servers.group_mappings]]
group_dn = “*”
org_role = “Admin”
Map ldap groups to grafana org roles
#[[servers.group_mappings]]
#group_dn = “cn=admins,ou=groups,dc=grafana,dc=org”
#org_role = “Admin”
To make user an instance admin (Grafana Admin) uncomment line below
grafana_admin = true
The Grafana organization database id, optional, if left out the default org (id 1) will be used
org_id = 1
#[[servers.group_mappings]]
#group_dn = “cn=users,ou=groups,dc=grafana,dc=org”
#org_role = “Editor”
#[[servers.group_mappings]]
If you want to match all (or no ldap groups) then you can use wildcard
#group_dn = “*”
#org_role = “Viewer”