User is mapped against organization orgId=-1 on first login

Grafana Configuration
1

Hello there,

This issue is kind of similar to https://community.grafana.com/t/map-ldap-groups-to-grafana-org-roles-with-org-id-first-login/2146

I have auth.proxy together with auth.ldap.

In the ldap.toml my mappings looks like this:

[[servers.group_mappings]]
group_dn = "CN=ims,OU=Workgroups,DC=company,DC=com"
org_role = "Admin"
org_id = 4

[[servers.group_mappings]]
group_dn = "CN=dbr,OU=Workgroups,DC=company,DC=com"
org_role = "Admin"
org_id = 5

[[servers.group_mappings]]
group_dn = "CN=sas,OU=Workgroups,DC=company,DC=com"
org_role = "Admin"
org_id = 6

After first login my users are assigned to the “orgId”: -1.

curl -H "X-WEBAUTH-USER: mmartinm" http://grafana.staged-by-discourse.com/api/user | python -m json.tool

{
    "email": "michael.martin.moonlight@company.com",
    "id": 0,
    "isGrafanaAdmin": false,
    "login": "mmartinm",
    "name": "Michael Martin Moonlight",
    "orgId": -1,
    "theme": ""
}

However from the gui I can see that they have been added as admins of their corresponding organization and viewers of the main one. See attached screenshot.

Is there any way of making the automatic mapping to work?

Thanks in advance,

Luis

Selection_597
Selection_597982×170 5.85 KB

Grafana version: Grafana v4.6.3 (commit: 7a06a47). Built from grafana/grafana docker image

2

It’s been a while since I last looked at this so had to dig into the code a bit. Unfortunately, there have been no major changes or fixes in the last 18 months to the LDAP code (I don’t think anyone wants to work on LDAP in their free time) so this bug is still there.

Here is the issue for this problem (it’s been open for a year and no PR’s :frowning: ):

Here is the code for assigning the org to a new user.

Right now, if using auth proxy and ldap is enabled then SkipOrgSetup is set to true and the orgId will be assigned to -1.

if cmd.SkipOrgSetup {
    return -1, nil
}

The user is synced on login but the default org for the user is never set. So the answer is still the same as the linked question - that it has to be done via the API:

I know that this is not very user friendly. We have plans to both improve the LDAP code later this year and to create a premium version of the LDAP integration with team sync (and then in Grafana 5.0 you can assign teams permissions to folders and dashboards).

3

Hi daniellee,
Is the above discussed issue to preserve the orgId for grafana users once they authenticate using LDAP been addressed with Grafana 5.0.3 ?

If yes, how ?