Menu
Grafana Cloud Enterprise Open source RSS

Configure LDAP authentication using the Grafana user interface

This page explains how to configure LDAP authentication in Grafana using the Grafana user interface. For more detailed information about configuring LDAP authentication using the configuration file, refer to LDAP authentication.

Benefits of using the Grafana user interface to configure LDAP authentication include:

  • There is no need to edit the configuration file manually.
  • Quickly test the connection to the LDAP server.
  • There is no need to restart Grafana after making changes.

Note

Any configuration changes made through the Grafana user interface (UI) will take precedence over settings specified in the Grafana configuration file or through environment variables. If you modify any configuration settings in the UI, they will override any corresponding settings set via environment variables or defined in the configuration file.

Before you begin

Prerequisites:

  • Knowledge of LDAP authentication and how it works.
  • Grafana instance v11.3.0 or later.
  • Permissions settings:read and settings:write with settings:auth.ldap:* scope.
  • This feature requires the ssoSettingsLDAP feature toggle to be enabled.

Steps to configure LDAP authentication

Sign in to Grafana and navigate to Administration > Authentication > LDAP.

1. Complete mandatory fields

The mandatory fields have an asterisk (*) next to them. Complete the following fields:

  1. Server host: Host name or IP address of the LDAP server.
  2. Search filter: The LDAP search filter finds entries within the directory.
  3. Search base DNS: List of base DNs to search through.

2. Complete optional fields

Complete the optional fields as needed:

  1. Bind DN: Distinguished name (DN) of the user to bind to.
  2. Bind password: Password for the server.

3. Advanced settings

Click the Edit button in the Advanced settings section to configure the following settings:

1. Miscellaneous settings

Complementary settings for LDAP authentication.

  1. Allow sign-up: Allows new users to register upon logging in.
  2. Port: Port number of the LDAP server. The default is 389.
  3. Timeout: Time in seconds to wait for a response from the LDAP server.

2. Attributes

Attributes used to map LDAP user assertion to Grafana user attributes.

  1. Name: Name of the assertion attribute to map to the Grafana user name.
  2. Surname: Name of the assertion attribute to map to the Grafana user surname.
  3. Username: Name of the assertion attribute to map to the Grafana user username.
  4. Member Of: Name of the assertion attribute to map to the Grafana user membership.
  5. Email: Name of the assertion attribute to map to the Grafana user email.

3. Group mapping

Map LDAP groups to Grafana roles.

  1. Skip organization role sync: This option avoids syncing organization roles. It is useful when you want to manage roles manually.

  2. Group search filter: The LDAP search filter finds groups within the directory.

  3. Group search base DNS: List of base DNS to specify the matching groups’ locations.

  4. Group name attribute: Identifies users within group entries.

  5. Manage group mappings:

    When managing group mappings, the following fields will become available. To add a new group mapping, click the Add group mapping button.

    1. Add a group DN mapping: The name of the key used to extract the ID token.
    2. Add an organization role mapping: Select the Basic Role mapped to this group.
    3. Add the organization ID membership mapping: Map the group to an organization ID.
    4. Define Grafana Admin membership: Enable Grafana Admin privileges to the group.

4. Extra security settings

Additional security settings options for LDAP authentication.

  1. Enable SSL: This option will enable SSL to connect to the LDAP server.
  2. Start TLS: Use StartTLS to secure the connection to the LDAP server.
  3. Min TLS version: Choose the minimum TLS version to use. TLS1.2 or TLS1.3
  4. TLS ciphers: List the ciphers to use for the connection. For a complete list of ciphers, refer to the Cipher Go library.
  5. Encryption key and certificate provision specification: This section allows you to specify the key and certificate for the LDAP server. You can provide the key and certificate in two ways: base-64 encoded or path to files.
    1. Base-64 encoded certificate: All values used in this section must be base-64 encoded.
      1. Root CA certificate content: List of root CA certificates.
      2. Client certificate content: Client certificate content.
      3. Client key content: Client key content.
    2. Path to files: Path in the file system to the key and certificate files
      1. Root CA certificate path: Path to the root CA certificate.
      2. Client certificate path: Path to the client certificate.
      3. Client key path: Path to the client key.

4. Persisting the configuration

Once you have configured the LDAP settings, click Save to persist the configuration.

If you want to delete all the changes made through the UI and revert to the configuration file settings, click the three dots menu icon and click Reset to default values.