Configure LDAP (Active Directory) Authentication in Grafana

By default, Grafana allows you to sign in only with local user accounts. But you can use an LDAP database (Active Directory or FreeIPA) to authenticate users in Grafana.

$ sudo nano /etc/grafana/grafana.ini

############################## Auth LDAP ###################
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

Then edit the file with LDAP connection settings:

$ sudo nano /etc/grafana/ldap.toml

[[servers]]
host = "dc01.poweradm.com dc02.poweradm.com"
# user credentials to access the LDAP directory
bind_dn = "uid=svc_grafana,cn=users,cn=accounts,dc=poweradm,dc=com"
bind_password = 'grafana_password1'
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["dc=poweradm,dc=com"]
[[servers.group_mappings]]
# Grafana admin group
group_dn = "cn=grafana_admins,cn=groups,cn=par,dc=poweradm,dc=com"
org_role = "Admin"
[[servers.group_mappings]]
# Grafana editors group
group_dn = "cn=grafana_rw,cn=groups,cn=par,dc=poweradm,dc=com"
org_role = "Editor"
[[servers.group_mappings]]
# Group with permissions to view objects and data Grafana
group_dn = "cn=grafana_ro,cn=groups,cn=par,dc=poweradm,dc=com"
org_role = "Viewer"

Create grafana_admins, grafana_rw and grafana_ro groups in AD. Add users to them depending on their role. Also create a domain user svc_grafana (with minimal permissions, you can even exclude this account from the Domain Users group).

To debug AD authentication, you need to enable LDAP logging. To do this, specify a filter for the log in the /etc/grafana/grafana.ini file:

[log]
filters = ldap:debug

Restart the Grafana service:

$ sudo systemctl restart grafana-server

Try to authenticate with a domain user. If necessary, check the log:

$ tail -f /var/log/grafana/grafana.log