# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"
```
## Bind & Bind Password
By default the configuration expects you to specify a bind DN and bind password. This should be a read only user that can perform ldap searches.
When the user DN is found a second bind is performed with the user provided username & password (in the normal Grafana login form).
```
bind_dn = "cn=admin,dc=grafana,dc=org"
bind_password = "grafana"
```
### Single bind Example
If you can provide a single bind expression that matches all possible users you can skip the second bind and bind against the user DN directly.
This allows you to not specify a bind_password in the configuration file.
```
bind_dn = "cn=%s,o=users,dc=grafana,dc=org"
```
In this case you skip providing a `bind_password` and instead provide a `bind_dn` value with a `%s` somewhere. This will be replaced with the username
entered in on the Grafana login page. The search filter and search bases settings are still needed to perform the ldap search to retreive the other ldap
information (like ldap groups and email).
## Ldap to Grafana Org Role Sync
In the `[[servers.group_mappings]]` you can map a LDAP group to a grafana organization and role. These will be synced every time the user logs in. So
if you change a users role in the Grafana Org. Users page, this change will be reset the next time the user logs in. Similarly if you
can LDAP groups for a user in LDAP the change will take effect the next time the user logs in to Grafana.