Our team built an EFK stack for monitoring our k8s cluster and we have a Grafana service to visualize all the monitoring metrics. Recently, we decided to integrate LDAP authentication of our company to make everyone in our office can login with their account.
It’s easy to find lots of tutorials and official documents, so I will just talk about the things I did and mistake I made. Hope this could help. First, we need a Grafana service and a LDAP server. we can use ldapsearch to make sure that we can access LDAP server correctly.
Ok, now we only need to configure some config files to make it work. As documentation said configure like below.
Keep in mind that we only leverage LDAP server for the authentication step. We still need a Grafana account for everyone to login. This is why most of the time people suggest keeping
allow_sign_up to be True (or you can turn it off and this means users without a Grafana account would not be able to login).
Here comes the most important part. we need a
ldap.toml file. Quite clear.
bind_dn : the search base when Grafana try to search users in LDAP server.
search_filter : some filter in searching users in LDAP server. As the comment above the line. Allowing user login as username or email is possible.
Below would be the attribute to retrieve after our search request find out the user. Since the ldap search request only do the authentication part. The attributes help Grafana to identify which users is trying to login or sign-up.
I missed this part and every user login by LDAP authentication would be seem as the same one. After first user login (and that’s me…), Grafana create a new user without any attribute (no username, email …). When the second user login, Grafana try to create another user (without username, emails…) which identified as the existing account. This causing
userId=0 orgId=1 uname= error="User already exists error.
Hope this helps!