LDAP Authetntication & Group Membership - Bug or misconfiguration?

Hi all,
I have my Grafana connected to a FreeIPA Server.
FreeIPA uses the RFC2307bis schema, so I have modified the group membership filter to much it.
And from here my problems start.

  1. Group membership is not working.
    My LDAP configuration is:

    /etc/grafana/ldap.toml
    ansible managed
    #Documentation: Configure LDAP authentication | Grafana documentation
    verbose_logging = true

    [[servers]]
    group_search_base_dns = [“ou=groups,cn=accounts,dc=example,dc=com”]
    ssl_skip_verify = true
    search_filter = “(uid=%s)”
    root_ca_cert = “/etc/ipa/ca.crt”
    start_tls = true
    bind_dn = “uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com”
    group_search_filter = “(&(objectClass=posixGroup)(member=uid=%s,cn=users,cn=accounts,dc=example,dc=com))”
    search_base_dns = [“cn=users,cn=accounts,dc=example,dc=com”]
    host = “idmldap.example.com
    bind_password = “password”
    use_ssl = false
    port = 389

    [servers.attributes]
    username = “uid”
    member_of = “dn”
    surname = “sn”
    email = “mail”
    name = “givenName”

    #Main Org.
    [[servers.group_mappings]]
    org_id = 1
    org_role = “Admin”
    grafana_admin = true
    group_dn = “cn=grafana-adms,cn=groups,cn=accounts,dc=example,dc=com”

    [[servers.group_mappings]]
    org_id = 1
    org_role = “Editor”
    group_dn = “cn=grafana-users,cn=groups,cn=accounts,dc=example,dc=com”

    [[servers.group_mappings]]
    org_id = 1
    org_role = “Viewer”
    group_dn = “*”

Using ldapsearch, I get back results:

ldapsearch -x -W -D "uid=nonipaapps,cn=sysaccounts,cn=etc,dc=example,dc=com" \
    -b "cn=groups,cn=accounts,dc=example,dc=com" \
    -h localhost -p 389 -s sub "(&(objectClass=posixGroup) \
    member=uid=ptselios,cn=users,cn=accounts,dc=example,dc=com))"


# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=example,dc=com> with scope subtree
# filter: (&(objectClass=posixGroup)(member=uid=ptselios,cn=users,cn=accounts,dc=example,dc=com))
# requesting: ALL
#

# grafana-adms, groups, accounts, example.com
dn: cn=grafana-adms,cn=groups,cn=accounts,dc=example,dc=com
member: uid=ptselios,cn=users,cn=accounts,dc=example,dc=com
member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-120251393-583861438-3385547448-1050
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
cn: grafana-adms
description:: blabla
ipaUniqueID: ccc54368-ce1d-11e8-b523-06db1b82a33a
gidNumber: 690200050

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

However, all users are logged in as Viewers!
Also, my account (ptselios) is manually configured to be an Editor. But it’s not reset to Admin! So, obviously the group mapping is not working.

Checking the log file was not helpful either. Here is what is written (with verbose logging as you can see)

t=2018-11-27T14:20:34+0000 lvl=dbug msg="Scheduling update" logger=alerting.scheduler ruleCount=0
t=2018-11-27T14:20:36+0000 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=groupOfNames)(member=uid=user01,cn=users,cn=accounts,dc=example,dc=com))"
t=2018-11-27T14:20:36+0000 lvl=dbug msg="**Ldap User found**" logger=ldap info="(*login.LdapUserInfo)(0xc0002fee00)({\n DN: (string) (len=63) \"uid=ashrestha,cn=users,cn=accounts,dc=example,dc=com\",\n FirstName: (string) (len=5) \"User\",\n LastName: (string) (len=8) \"01\",\n Username: (string) (len=9) \"user01\",\n Email: (string) (len=29) \"user01@example.com\",\n MemberOf: ([]string) <nil>\n})\n"

So, why is the group membeship failing? LDAP returns entries and the

Ciao,

Below you can find my working LDAP configuration with SSL activated (my Grafana server is configured with HTTPS).

To troubleshoot and get more log info enable ldap debug logging in grafana.ini

#[log]
#filters = ldap:debug

[[servers]]

Ldap server host (specify multiple hosts space separated)

host = “ldap.your_domain.com”

Default port is 389 or 636 if use_ssl = true

port = 636

Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)

use_ssl = true

If set to true, use LDAP with STARTTLS instead of LDAPS

start_tls = false

set to true if you want to skip ssl cert validation

ssl_skip_verify = true

set to the path to your root CA certificate or leave unset to use system defaults

root_ca_cert = “/path/to/certificate.crt”

Authentication against LDAP servers requiring client certificates

client_cert = “/path/to/client.crt”

client_key = “/path/to/client.key”

Search user bind dn

#bind_dn = “cn=admin,dc=grafana,dc=org”
bind_dn = “uid=bind_user,ou=People,dc=your_domain,dc=com”

Search user bind password

If the password contains # or ; you have to wrap it with triple quotes. Ex “”"#password;"""

#bind_password = ‘grafana’
bind_password = “”“your_password”""

User search filter, for example “(cn=%s)” or “(sAMAccountName=%s)” or “(uid=%s)”

search_filter = “(uid=%s)”

An array of base dns to search through

#search_base_dns = [“dc=grafana,dc=org”]
search_base_dns = [“ou=People,dc=your_domain,dc=com”]

For Posix or LDAP setups that does not support member_of attribute you can define the below settings

Please check grafana LDAP docs for examples

group_search_filter = “(&(objectClass=posixGroup)(memberUid=%s))”

group_search_base_dns = [“ou=groups,dc=grafana,dc=org”]

group_search_filter_user_attribute = “uid”

Specify names of the ldap attributes your ldap uses

[servers.attributes]
name = “givenName”
surname = “sn”
username = “uid”
member_of = “ismemberOf” #### >>> If your LDAP team have correctly set the attribute “memberOf” on the LDAP server side, then configure here → member_of = “memberOf” ####
email = “mail”

Map ldap groups to grafana org roles

#[[servers.group_mappings]]
#group_dn = “cn=admins,ou=groups,dc=grafana,dc=org”
#org_role = “Admin”

To make user an instance admin (Grafana Admin) uncomment line below

grafana_admin = true

The Grafana organization database id, optional, if left out the default org (id 1) will be used

org_id = 1

ADMIN GROUPS

[[servers.group_mappings]]
group_dn = “cn=your_group,ou=groups,dc=your_domain,dc=com”
org_role = “Admin”

####################

EDITOR GROUPS

#[[servers.group_mappings]]
#group_dn = “cn=your_group,ou=groups,dc=your_domain,dc=com”
#org_role = “Editor”

#####################

READ-ONLY GROUPS

#[[servers.group_mappings]]

If you want to match all (or no ldap groups) then you can use wildcard

#group_dn = “cn=your_group,ou=groups,dc=your_domain,dc=com”
#org_role = “Viewer”

########################

Regards,

AlexPreformatted text