LDAP DN in multiple orgs

Grafana
1

Hello,

We’ve got a 4.6.3 install setup with LDAP. With a single org we’re able to login and administer the instance.

We’re now looking to create further orgs for separate parts of the business. We want to have three levels of access. Each org will have it’s own admins and users DNs. There will also be a separate global admin DN which is a member of all of the orgs.

The documentation suggests that configuration like the following should work, but we’ve found that the global admin DN only exists in org 1. Is this configuration supported:

[[servers.group_mappings]]
group_dn = "CN=Global-Admin,OU=Group,DC=example,DC=com"
org_role = "Admin"
org_id = 1

[[servers.group_mappings]]
group_dn = "CN=Global-Admin,OU=Group,DC=example,DC=com"
org_role = "Admin"
org_id = 2

[[servers.group_mappings]]
group_dn = "CN=Org-Two-Admin,OU=Group,DC=example,DC=com"
org_role = "Admin"
org_id = 2

[[servers.group_mappings]]
group_dn = "CN=Org-Two-User,OU=Group,DC=example,DC=com"
org_role = "Editor"
org_id = 2

[[servers.group_mappings]]
group_dn = "CN=Global-Admin,OU=Group,DC=example,DC=com"
org_role = "Admin"
org_id = 3

[[servers.group_mappings]]
group_dn = "CN=Org-Three-Admin,OU=Group,DC=example,DC=com"
org_role = "Admin"
org_id = 3

[[servers.group_mappings]]
group_dn = "CN=Org-Three-User,OU=Group,DC=example,DC=com"
org_role = "Editor"
org_id = 3

I don’t see any errors logged when I’ve setup like this.

Cheers, Gavin

2

I’ve figured this out.

In the main grafana.ini file I set

auto_assign_org = true

Then in the grafana database I deleted the “Main Org.” (id 1) from the org table and inserted records for my orgs

INSERT INTO org SET name = 'global';
INSERT INTO org SET name = 'org2';
INSERT INTO org SET name = 'org3';

Then I checked the org_id on the table:

SELECT * FROM org;

And updated my ldap group_mappings setting the correct org_id for each mapping.

It doesn’t feel like the correct approach, but it seemed to work and I’ve now got multiple orgs available to my DN.