search

grafana / grafana-operator

An operator for Grafana that installs and manages Grafana instances, Dashboards and Datasources through Kubernetes/OpenShift CRs
https://grafana.github.io/grafana-operator/
Apache License 2.0
875 stars 386 forks source link

[Bug]Failed to login with Ldap user #694

Closed CherryJia closed 2 years ago

CherryJia commented 2 years ago

Describe the bug we have enabled the ldap for our grafana, and be able to test from Console by search a specific user , but it failed to login in

Version v4.0.0

To Reproduce Steps to reproduce the behavior:

  1. Enable Ldap

  2. Test from server Admin Ldap console, works fine with my userid and get all the groups listed

    image

  3. Log out with the build in admin user.

  4. login with my Id jiayybj@cn.ibm.com failed with error="invalid username or password" and it is reporting it is not in any group that listed. please see details log:

t=2022-03-03T19:02:20+0000 lvl=info msg="LDAP enabled, reading config file" logger=ldap file=/etc/grafana-configmaps/ldap-config/ldap.toml
t=2022-03-03T19:02:20+0000 lvl=dbug msg="LDAP SearchRequest" logger=ldap searchRequest="&{BaseDN:ou=bluepages,o=ibm.com Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(|(&(emailAddress=jiayybj@cn.ibm.com)(objectclass=ePerson))) Attributes:[mail cn dn] Controls:[]}\n"
t=2022-03-03T19:02:20+0000 lvl=info msg="Searching for user's groups" logger=ldap filter="(&(objectClass=groupOfUniqueNames)(uniquemember=uid=920830672,c=cn,ou=bluepages,o=ibm.com))"
t=2022-03-03T19:02:21+0000 lvl=dbug msg="LDAP users found" logger=ldap users="([]*models.ExternalUserInfo) (len=1 cap=1) {\n (*models.ExternalUserInfo)(0xc000700ea0)({\n  OAuthToken: (*oauth2.Token)(<nil>),\n  AuthModule: (string) (len=4) \"ldap\",\n  AuthId: (string) (len=41) \"uid=920830672,c=cn,ou=bluepages,o=ibm.com\",\n  UserId: (int64) 0,\n  Email: (string) (len=18) \"jiayybj@cn.ibm.com\",\n  Login: (string) \"\",\n  Name: (string) \"\",\n  Groups: ([]string) (len=34 cap=64) {\n   (string) (len=13) \"IBMLinuxUsers\",\n   (string) (len=19) \"MCE_DCEDFS01_ECUREP\",\n   (string) (len=21) \"BSO-AP-GCG_TW-CDL-ALL\",\n   (string) (len=25) \"BSO-AP-GCG_CN-BJ-CDL-DEP1\",\n   (string) (len=39) \"Fix Central Tivoli Brand Administration\",\n   (string) (len=37) \"BSO-IE_SWG_TIV_Vallent_Ireland_Manual\",\n   (string) (len=12) \"jazz04-users\",\n   (string) (len=24) \"BSO-AP-GCG_HK-G6O-SWG-G1\",\n   (string) (len=9) \"BHPEOCATS\",\n   (string) (len=25) \"BSO-AP-GCG_CN-XA-CDL-DEP1\",\n   (string) (len=13) \"BHPEOE...
t=2022-03-03T19:02:21+0000 lvl=eror msg="User does not belong in any of the specified LDAP groups" logger=ldap username= groups="[IBMLinuxUsers MCE_DCEDFS01_ECUREP BSO-AP-GCG_TW-CDL-ALL BSO-AP-GCG_CN-BJ-CDL-DEP1 Fix Central Tivoli Brand Administration BSO-IE_SWG_TIV_Vallent_Ireland_Manual jazz04-users BSO-AP-GCG_HK-G6O-SWG-G1 BHPEOCATS BSO-AP-GCG_CN-XA-CDL-DEP1 BHPEOEVERYONE pasrtc:jazzusers pasrtc:jazzadmins pasrtc:jazzprojadmins pasrqm:jazzusers mac rptHRMS_cn BSO-AP-GCG_CN-XA-CSTL-DEP1 LIS Regular China stg_insight_users BSO-AP-GCG_CN-SH-CDL-ShuiOn SH IBM Reqular 201808 P G_China_Grp STG_Developers_Test1 Cloud-segment-user pSeriesAA WAS_DEV BeeKeeper_Privileged_User IES_PROVISIONER_PRIVACY_CONSENT Test_Bluegroup_Udemy IBMersReg cognos.wf360.hr.prod.lnk.summary cf-future-regular-employees OSS_SREConsole_Admin]"
t=2022-03-03T19:02:21+0000 lvl=dbug msg="unable to login with LDAP - skipping server" logger=ldap host=bluepages.ibm.com port=389 error="invalid username or password"

etc.

Expected behavior I have also the group mapping configured as , but it no help with the role assignment and even not be able to login 

    [[servers.group_mappings]]
    group_dn = "cn=OSS_SREConsole_Admin,ou=memberlist,ou=ibmgroups,o=ibm.com"
    org_role = "Admin”
     grafana_admin = true
pb82 commented 2 years ago

@CherryJia I'm not too familiar with LDAP, so I can only point you to our existing example: https://github.com/grafana-operator/grafana-operator/tree/master/deploy/examples/ldap

CherryJia commented 2 years ago

fixed