LDAP: Improve errors and documentation (#52111)

2025-02-25 18:55:37 -06:00 · 2022-07-12 15:11:09 +00:00 · 2022-07-12 15:11:09 +00:00 · c9c4fc604e
commit c9c4fc604e
parent 48e757ff87
2 changed files with 22 additions and 1 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/ldap.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/ldap.md
@ -194,6 +194,27 @@ org_role = "Viewer"
 | `org_id`        | No       | The Grafana organization database id. Setting this allows for multiple group_dn's to be assigned to the same `org_role` provided the `org_id` differs                    | `1` (default org id) |
 | `grafana_admin` | No       | When `true` makes user of `group_dn` Grafana server admin. A Grafana server admin has admin access over all organizations and users. Available in Grafana v5.3 and above | `false`              |

+Note: Commenting out a group mapping requires also commenting out the header of
+said group or it will fail validation as an empty mapping. Example:
+
+```bash
+[[servers]]
+# other settings omitted for clarity
+
+[[servers.group_mappings]]
+group_dn = "cn=superadmins,dc=grafana,dc=org"
+org_role = "Admin"
+grafana_admin = true # Available in Grafana v5.3 and above
+
+# [[servers.group_mappings]]
+# group_dn = "cn=admins,dc=grafana,dc=org"
+# org_role = "Admin"
+
+[[servers.group_mappings]]
+group_dn = "cn=users,dc=grafana,dc=org"
+org_role = "Editor"
+```
+
 ### Nested/recursive group membership

 Users with nested/recursive group membership must have an LDAP server that supports `LDAP_MATCHING_RULE_IN_CHAIN`
--- a/pkg/services/ldap/ldap.go
+++ b/pkg/services/ldap/ldap.go
@ -494,7 +494,7 @@ func (server *Server) AdminBind() error {
 	err := server.userBind(server.Config.BindDN, server.Config.BindPassword)
 	if err != nil {
 		server.log.Error(
-			"Cannot authenticate admin user in LDAP",
+			"Cannot authenticate admin user in LDAP. Verify bind configuration",
 			"error",
 			err,
 		)