From c9c4fc604e639ca0d53da0c92df0317027b54120 Mon Sep 17 00:00:00 2001 From: Jo Date: Tue, 12 Jul 2022 15:11:09 +0000 Subject: [PATCH] LDAP: Improve errors and documentation (#52111) --- .../configure-authentication/ldap.md | 21 +++++++++++++++++++ pkg/services/ldap/ldap.go | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/ldap.md b/docs/sources/setup-grafana/configure-security/configure-authentication/ldap.md index 85fc53e6780..84cca12bf8f 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/ldap.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/ldap.md @@ -194,6 +194,27 @@ org_role = "Viewer" | `org_id` | No | The Grafana organization database id. Setting this allows for multiple group_dn's to be assigned to the same `org_role` provided the `org_id` differs | `1` (default org id) | | `grafana_admin` | No | When `true` makes user of `group_dn` Grafana server admin. A Grafana server admin has admin access over all organizations and users. Available in Grafana v5.3 and above | `false` | +Note: Commenting out a group mapping requires also commenting out the header of +said group or it will fail validation as an empty mapping. Example: + +```bash +[[servers]] +# other settings omitted for clarity + +[[servers.group_mappings]] +group_dn = "cn=superadmins,dc=grafana,dc=org" +org_role = "Admin" +grafana_admin = true # Available in Grafana v5.3 and above + +# [[servers.group_mappings]] +# group_dn = "cn=admins,dc=grafana,dc=org" +# org_role = "Admin" + +[[servers.group_mappings]] +group_dn = "cn=users,dc=grafana,dc=org" +org_role = "Editor" +``` + ### Nested/recursive group membership Users with nested/recursive group membership must have an LDAP server that supports `LDAP_MATCHING_RULE_IN_CHAIN` diff --git a/pkg/services/ldap/ldap.go b/pkg/services/ldap/ldap.go index 977f7f3db35..39390e84046 100644 --- a/pkg/services/ldap/ldap.go +++ b/pkg/services/ldap/ldap.go @@ -494,7 +494,7 @@ func (server *Server) AdminBind() error { err := server.userBind(server.Config.BindDN, server.Config.BindPassword) if err != nil { server.log.Error( - "Cannot authenticate admin user in LDAP", + "Cannot authenticate admin user in LDAP. Verify bind configuration", "error", err, )