LDAP Autentication -Grafana

mcapile · November 13, 2019, 7:29pm

Hi guys can you advice me to deploy this configuration ?

I will use the email to acess the aplication i am not sure about the correct configurarion.

ldap.toml

To troubleshoot and get more log info enable ldap debug logging in grafana.ini

[log]

filters = ldap:debug

[[servers]]

Ldap server host (specify multiple hosts space separated)

host = “employ.dev.com”

Default port is 389 or 636 if use_ssl = true

port = 389

Set to true if ldap server supports TLS

use_ssl = false

Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)

start_tls = false

set to true if you want to skip ssl cert validation

ssl_skip_verify = false

set to the path to your root CA certificate or leave unset to use system defau lts

root_ca_cert = “/path/to/certificate.crt”

Authentication against LDAP servers requiring client certificates

client_cert = “/path/to/client.crt”

client_key = “/path/to/client.key”

Search user bind dn

bind_dn = “ou=employ.dev,o=employ.dev”

Search user bind password

If the password contains # or ; you have to wrap it with triple quotes. Ex “”" #password;"""

bind_password = ‘grafana’

User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s )”

search_filter = “(cn=%s)”

An array of base dns to search through

search_base_dns = [“ou=employ.dev,o=employ.dev”]

For Posix or LDAP setups that does not support member_of attribute you can de fine the below settings

Please check grafana LDAP docs for examples

group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”

group_search_base_dns = [“ou=employ.dev,o=employ.dev”]
group_search_filter_user_attribute = “mail”

Specify names of the ldap attributes your ldap uses

[servers.attributes]
name = “givenName”
surname = “sn”
username = “cn”
member_of = “memberOf”
email = “mail”

Map ldap groups to grafana org roles

[[servers.group_mappings]]
group_dn = “ou=employ.dev,o=employ.dev”
org_role = “Admin”

To make user an instance admin (Grafana Admin) uncomment line below

grafana_admin = true

The Grafana organization database id, optional, if left out the default org (i d 1) will be used

org_id = 1

[[servers.group_mappings]]
group_dn = “cn=users,dc=grafana,dc=org”
org_role = “Editor”

[[servers.group_mappings]]

If you want to match all (or no ldap groups) then you can use wildcard

group_dn = “*”
org_role = “Viewer”

I am seeing the ldap server in my browser but when i am testing i am geting
No user was found in the LDAP server(s) with that username

peek2much3 · June 18, 2020, 4:42pm

Hello, did you ever get this completed? I’m looking at the same issue and was wondering if you could share what you’ve done to get it working.

Thanks

danieltollkoetter · February 22, 2021, 7:28am

I got also problems with starting up ldap, solved them (at least login is possible now)
The good thing is you have already contact with the server.

Did you switch debugging on?
The log messages shall be helpful.

The ldapsearch tool helped me a lot, I am working under windows.
See also:
https://localhost:3000/t/unable-to-dial-ldap-server-unable-to-read-ldap-response-packet-unexpected-eof-network-ok/42141/3?u=danieltollkoetter

Topic		Replies	Views
Cannot get Grafana LDAP Authentication to work Configuration	8	22547	October 30, 2018
LDAP logging and configuration Configuration	3	11432	January 13, 2021
Grafana to support LDAP authentication Grafana	3	2128	January 17, 2020
Grafana - use ldap Grafana	5	2189	August 18, 2019
LDAP configuration Configuration	1	1915	November 2, 2018