Active Directory : Invalid Credentials

mblackcricut · May 16, 2019, 5:10pm

First time user here trying to configure Active Directory authentication. I’m getting an Invalid Username or Password error . I’ve turned on logging filters = ldap:debug but I’m struggling finding where my error is.

This is my ldap.toml file:

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "myldapserver.domain.com"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = true
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "CN=ldap,OU=Service_Accounts,OU=PC_User_Accounts,DC=domain,DC=com"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = """supersecretpassword"""

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["dc=domain,dc=com"]

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
##group_dn = "cn=admins,dc=com"
##org_role = "Admin"
group_dn = "dc=domain,dc=com"
org_role = "*"
# To make user an instance admin  (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "cn=users,dc=grafana,dc=org"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"

This is a snippet from my log file:

t=2019-05-16T16:52:55+0000 lvl=info msg="HTTP Server Listen" logger=http.server address=0.0.0.0:3000 protocol=http subUrl= socket=
t=2019-05-16T16:53:01+0000 lvl=info msg="Initial bind failed" logger=ldap error="LDAP Result Code 49 \"Invalid Credentials\": 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1 "
t=2019-05-16T16:53:01+0000 lvl=eror msg="Invalid username or password" logger=context userId=0 orgId=0 uname= error="Invalid Username or Password"
t=2019-05-16T16:53:01+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=401 remote_addr=10.1.5.98 time_ms=48 size=42 referer=http://grafanaserver:3000/login

daniellee · May 18, 2019, 10:30am

So googled this and the first hit is this: authentication - LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 - Stack Overflow

which implies that the username is valid but password/credential is invalid. But maybe it could also be that mapping for the username is incorrect and that it is matching another user with the same username?

michaelblack · May 20, 2019, 4:28am

If that’s what is happening, it’s rather strange because isn’t (sAMAccountName=%s) the unique identifier in Active Directory? I’ve searched the system and I didn’t find any duplicates. So you’re not seeing anything immediately wrong with the configuration?

michaelblack · May 20, 2019, 2:53pm

Solve it!

It was my bind-dn that I had wrong. This is what was wrong:

bind_dn = "CN=ldap,OU=Service_Accounts,OU=PC_User_Accounts,DC=domain,DC=com"

This is how the right way should look

bind_dn = "mydomain\\%s"

It was after going over the documentation and there’s a difference whether you’re authenticating to a LDAP server or an Active Directory server; the later being my case.

gaj · August 6, 2019, 12:17pm

hi,

can you show, your file ldap.toml ?

michaelblack · August 6, 2019, 4:02pm

In the beginning of this post have my ldap.toml shared. The only line that has changed was the bind_dn

gaj · August 7, 2019, 7:36am

when you put bind_dn = “mydomain\%s”
where can i take mydomain ?

mrarifogullari · March 25, 2022, 2:44pm

use this on shell:
dnsdomainname

Topic		Replies	Views
Active Directory/LDAP troubleshooting Authentication ldap	1	2058	May 30, 2022
Grafana to support LDAP authentication Grafana	3	2128	January 17, 2020
LDAP Configuration - Error Configuration ldap	6	3160	July 11, 2022
Cannot get Grafana LDAP Authentication to work Configuration	8	22546	October 30, 2018
LDAP auth not working after 4.2 update Authentication ldap , auth	6	2428	January 13, 2021

Active Directory : Invalid Credentials

Related topics