2

I am trying to add single sign on for grafana using LDAP, I have come across Grafana documentation for LDAP but I did not understand.

Can I get Single Sign On feature using LDAP?

If yes, Can somebody give me a step by step procedure to follow to setup single sign on using ldap and grafana.

Grafana Version : 5.2.1 OS: WINDOWS

Update 1

I have been able to configure LDAP with grafana. Now I'm trying to integrate LDAP with wamp for SSO. In apache error log file I'm getting this error auth_ldap authenticate: user username authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax].

My apache config file.

<VirtualHost *:80>
  ServerName localhost
  RewriteEngine on
  ErrorLog "logs/authproxy-error_log"
  CustomLog "logs/authproxy-access_log" common
  <Location "/grafana/">
        LDAPReferrals off
        AuthType Basic
        AuthName GrafanaAuthProxy
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"
        AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
        AuthLDAPBindPassword "password"
        AuthLDAPGroupAttributeIsDN off
        Require ldap-filter ldapsettingshere
        AuthLDAPMaxSubGroupDepth 1
        RequestHeader unset Authorization
        Require valid-user
  </Location>   
  <Proxy *>
        RewriteEngine On
        RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
        RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
  </Proxy> 
  RequestHeader unset Authorization
  ProxyRequests Off
  ProxyPass /grafana/ http://localhost:3000/
  ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>

Update 2

Able to resolve the issue by changing the bindURL and bindDN.

Yajana N Rao
  • 382
  • 3
  • 12
  • Can you describe the problem you are having and the version of Grafana you are using? – Phil Jul 19 '18 at 10:08
  • @Phil I have made changes according the document of Grafana, but I'm not able to login to grafana with LDAP user credentials. – Yajana N Rao Jul 19 '18 at 10:15
  • Check the output, there should be an error that tells you what the problem is. If you're running Grafana from the terminal you'll probably see the error there. – Phil Jul 19 '18 at 10:17
  • There is not error in grafana.log file – Yajana N Rao Jul 19 '18 at 10:30
  • 1
    You may not have the correct logging level set. In you defaults ini file under `[log]` set `mode = console file` and `level = error`. See if that logs an error to either the console or you logging file. You'll should restart the grafana server too. – Phil Jul 19 '18 at 10:39
  • Also, have you verified the ldap credentials are correct? – Phil Jul 19 '18 at 10:42
  • 1
    Since the question is tagged with [openldap] I'd suggest to also look if some LDAP requests from _Grafana_ appear in the OpenLDAP logs. – Michael Ströder Jul 19 '18 at 10:56
  • @Phil ldap credentials are correct – Yajana N Rao Jul 19 '18 at 14:42
  • Did you check to see if there was an error? Without the error message we can't help you – Phil Jul 19 '18 at 15:21
  • I did a mistake in ldap.toml file so it was giving error, Now I'm able to login to grafana using LDAP credentials. But how can I achieve single sign on?. – Yajana N Rao Jul 23 '18 at 09:40
  • @Phil can you please help with the error message mentioned above – Yajana N Rao Jul 31 '18 at 06:20
  • 1
    I'm not sure so I had a quick google on `[Invalid DN Syntax]` and it *might* be that your bind DN might be in the wrong format. Here's a serverfault link that might help https://serverfault.com/questions/616698/in-ldap-what-exactly-is-a-bind-dn But I'm guessing @MichaelStröder would be a better person to ask. – Phil Jul 31 '18 at 15:15
  • 1
    I've answered this herein: [Reverse proxy authentication using LDAP in WAMP is failing](https://stackoverflow.com/a/51612836/10088178) – Michael Ströder Jul 31 '18 at 17:18

1 Answers1

3

I have been able to do SSO by following these steps.

  1. Configuring LDAP with Grafana by following steps in grafana documentation
  2. Disabling the grafana login page by using Apache’s auth work together with Grafana’s AuthProxy documenation
  3. Integrating LDAP with Apache for reverse proxy authentication by modifying httpd.conf file as mentioned above
  4. Disabled reverse proxy authentication pop up by passing username and password into the url in the script.

With these steps I have been able to get SSO functionality.

Yajana N Rao
  • 382
  • 3
  • 12