LDAP auth - strange behaviour upon first login


I’m trying to achieve configuration where there are 5 organizations in grafana and I can manipulate membership and roles in this configuration simply by adding/removing LDAP users from groups. For ex. member of LDAP group grafana_1_admins should be an Admin in “Org #1”, member of group `grafana_3_viewers should be a Viewer in “Org #3” and so on.

In order to achieve this I’ve made following steps:

  1. Set auto_assign_org to false,
  2. Login as default admin user,
  3. Create organizations “Org #1”, “Org #2”, etc.
  4. Delete organization “admin@localhost” (default created after login).

With this setup I was expecting that after LDAP user log in to grafana, he will be dropped into first organization matched by LDAP group mappings rules. Instead of that, I’m getting error “Cannot remove last organization admin”. After turning auto_assign_org param on, LDAP user is able to log in, but “Main Org” is automatically created and user is dropped into that organisation. I can for sure tell that group mappings are correct because user is also assigned to properly mapped organisations.

What can I do to achieve the desired setup?

Sounds like this: https://github.com/grafana/grafana/issues/7200

auto_assign_org when set to true is currently hardcoded to always assign the user to the Main org. So that won’t work for you.

You could change the active organization of a user via the API (requires basic auth and that the authenticated user is a Grafana Admin):

curl -XPOST http://admin:admin@localhost:3000/api/users/7/using/2

Not sure if that really helps though. Unfortunately, we do not get many PR’s for the LDAP feature but we (the Grafana team) are planning to do an overhaul of LDAP in the autumn.

Thanks you for answer @daniellee. This sounds very much like the issue that you’ve linked.

I don’t think we could make use of mentioned API method. If there will be a possibility to do sort of batch import of all LDAP user into grafana, maybe we could use it, but still, everytime when someone new is joining group we will have to make that extra API call. We wanted to connect grafana to LDAP to have less work, not more :slight_smile:

Anyway, thanks for advice, we will try to work around this somehow.

Hello @pmdz

Did you manage to workaround this somehow? Me I am suffering something similar (Auth.proxy and auth.ldap enabled. LDAP Admin user screw up after the organization creation).

Thanks in advance,


Nope, we stopped trying :slight_smile: We’re not using LDAP auth

Hello @pmdz,

Thank you for your prompt response.

Me I will go ahead with. In the worst case I can always apply the workaround.




I have a web application which has a login page and it returns me lot of reports . To dashboard those data I am using Grafana. I want to integrate SSO between my app and grafana. When user login’s to my web application he should be logged into grafana too. To do this I went through grafana documentation. I didn’t understand much. I tried with google.auth but is not right way for my requirement. It should be possible to login using the credentials which are used to login to my web application. Any work around for this??