Search code examples
docker-composeldapgrafana

I cannot login to Grafana with LDAP despite a working LDAP server

I can't login with Grafana LDAP.

I ran Grafana with Docker compose. My commands are:

  grafana:
    image: grafana/grafana:9.2.7-ubuntu
    container_name: grafana
    user: root:root
    restart: unless-stopped
    ports:
      - 3000:3000
    networks:
      - monitoring
    volumes:
      - ./grafana/data:/var/lib/grafana
      - ./grafana/provisioning:/etc/grafana/provisioning/
      - ./grafana/etc/grafana.ini:/etc/grafana/grafana.ini
      - ./grafana/etc/ldap.toml:/etc/grafana/ldap.toml
    environment:
      - GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASS}

Write rights for grafana.ini and ldap.toml files "-rw-r--r--"

In grafana.ini I have these settings:

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

Here are my settings for ldap.toml:


[[servers]]
host = "MYIP"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = true

bind_dn = "cn=Users,dc=MYSITE,dc=com"
bind_password = """MYPASSWORD"""

timeout = 10

search_filter = "(sAMAccountName=%s)"

search_base_dns = ["dc=MYSITE,dc=com"]


[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email =  "email"

[[servers.group_mappings]]
group_dn = "cn=MYUSER,cn=Users,dc=MYSITE,dc=com"
org_role = "Admin"
#org_id = 1

It seems to provide connection for ldap server in Grafana interface: LDAP WORKS

I also tried the user I am logged in with in other ldap services, the information is correct.

However, when I try from the test screen, I get the following error. Although I tried different combinations, I could not solve it. Can you help me?

enter image description here

Grafana container logs:

logger=accesscontrol.service t=2023-03-28T10:31:39.182588243Z level=debug msg="using cached permissions" key=rbac-permissions-1-user-1
logger=ldap t=2023-03-28T10:31:39.182721715Z level=info msg="LDAP enabled, reading config file" file=/etc/grafana/ldap.toml
logger=ldap t=2023-03-28T10:31:39.186613254Z level=error msg="Cannot authenticate admin user in LDAP. Verify bind configuration" error="invalid username or password"
logger=context userId=1 orgId=1 uname=my_local_user t=2023-03-28T10:31:39.186765251Z level=error msg="No user was found in the LDAP server(s) with that username" error="invalid username or password" remote_addr=MYIP traceID=
logger=context userId=1 orgId=1 uname=my_local_user t=2023-03-28T10:31:39.186870487Z level=info msg="Request Completed" method=GET path=/api/admin/ldap/redmine.ldap status=404 remote_addr=MYIP time_ms=4 duration=4.758872ms size=85 referer=http://MYIP:3000/admin/ldap handler=/api/admin/ldap/:username
Solution

  • The error you get is: "No user was found in the LDAP server(s) with that username" error="invalid username or password"

    Actually, you have provided the LDAP connection, but there seems to be a problem with the user information. You can see information like 'cn' just right by querying with the following example command:

    ldapsearch -x -LLL -h <YOUR_LDAP_SERVER> -D YOUR_USER@DOMAIN -w -b "CN=Users,dc=<YOUR_INFORMATION>,dc=com" -s sub "(objectClass=user)" cn sn givenName displayName name sAMAccountName sAMAccountType mail memberOf

    For example, your username might be 'apple.pear' but appear as 'Apple Pear' in the cn section. In this case you need to type 'cn=Apple Pear'.