The N Files

Grafana LDAP Integration Report

Objective

Configure Grafana to authenticate users against a Windows Active Directory (AD) domain using the LDAP authentication backend.

Configuration Summary

Grafana was deployed in a Docker Compose stack alongside Prometheus, Loki, and other monitoring tools. The following key configuration points were applied:

ldap.toml Configuration

[[servers]]
# Windows AD host
host = "172.16.10.66"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false

# Bind account (use a read-only service account)
bind_dn = "[email protected]"
bind_password = "REDACTED"
bind_as_authenticating_usea=false

# Search base and filter
search_filter = "(|(distinguishedName=%s)(sAMAccountName=%s)(userPrincipalName=%s))"
search_base_dns = ["DC=rlyeh,DC=local"]

group_search_filter = "(&(objectClass=group)(member=%s))"
group_search_base_dns = ["DC=rlyeh,DC=local"]

[[servers.group_mappings]]
group_dn = "CN=Miskatonik,OU=Internal,OU=Administrators,OU=Accounts,OU=RLYEH,DC=rlyeh,DC=local"
org_role = "Admin"

# Map AD groups to Grafana roles
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

# Default role if no group matches
[servers.attributes]
username = "sAMAccountName"

grafana.ini Modification

To enable LDAP authentication in Grafana, the following changes must be made to the grafana.ini file:

[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

Ensure that the path to ldap.toml matches the file location inside the container or on the host system, depending on deployment.

Environment Notes

Grafana was configured with the correct volume mapping for LDAP settings via Docker Compose, and restarted cleanly to apply changes.

Outcome

Grafana was able to authenticate users successfully against the Active Directory domain using LDAP. However, group membership resolution (via group_search_filter) failed to function as expected. Logs consistently showed:

LDAP: Found groups: []
LDAP: Matched group * -> org_role=Viewer

This suggests that Grafana could not resolve or substitute the user DN into the group filter during login.

Final Decision

Given the time spent troubleshooting and the minimal risk associated with viewer-level access, the following approach was adopted:

All AD-authenticated users are assigned the Viewer role by default.
One local Grafana administrator account is used for all privileged actions.

This approach maintains secure access while avoiding unreliable group mapping behavior. Further debugging may be resumed at a later stage if tighter access control becomes necessary.