This is documentation for the next version of Grafana. For the latest stable release, go to the latest version.
Configure LDAP authentication using the Grafana user interface
This page explains how to configure LDAP authentication in Grafana using the Grafana user interface. For more detailed information about configuring LDAP authentication using the configuration file, refer to LDAP authentication.
Benefits of using the Grafana user interface to configure LDAP authentication include:
- There is no need to edit the configuration file manually.
- Quickly test the connection to the LDAP server.
- There is no need to restart Grafana after making changes.
Note
Any configuration changes made through the Grafana user interface (UI) will take precedence over settings specified in the Grafana configuration file or through environment variables. If you modify any configuration settings in the UI, they will override any corresponding settings set via environment variables or defined in the configuration file.
Before you begin
Prerequisites:
- Knowledge of LDAP authentication and how it works.
- Grafana instance v11.3.0 or later.
- Permissions
settings:read
andsettings:write
withsettings:auth.ldap:*
scope. - This feature requires the
ssoSettingsLDAP
feature toggle to be enabled.
Steps to configure LDAP authentication
Sign in to Grafana and navigate to Administration > Authentication > LDAP.
1. Complete mandatory fields
The mandatory fields have an asterisk (*) next to them. Complete the following fields:
- Server host: Host name or IP address of the LDAP server.
- Search filter: The LDAP search filter finds entries within the directory.
- Search base DNS: List of base DNs to search through.
2. Complete optional fields
Complete the optional fields as needed:
- Bind DN: Distinguished name (DN) of the user to bind to.
- Bind password: Password for the server.
3. Advanced settings
Click the Edit button in the Advanced settings section to configure the following settings:
1. Miscellaneous settings
Complementary settings for LDAP authentication.
- Allow sign-up: Allows new users to register upon logging in.
- Port: Port number of the LDAP server. The default is 389.
- Timeout: Time in seconds to wait for a response from the LDAP server.
2. Attributes
Attributes used to map LDAP user assertion to Grafana user attributes.
- Name: Name of the assertion attribute to map to the Grafana user name.
- Surname: Name of the assertion attribute to map to the Grafana user surname.
- Username: Name of the assertion attribute to map to the Grafana user username.
- Member Of: Name of the assertion attribute to map to the Grafana user membership.
- Email: Name of the assertion attribute to map to the Grafana user email.
3. Group mapping
Map LDAP groups to Grafana roles.
Skip organization role sync: This option avoids syncing organization roles. It is useful when you want to manage roles manually.
Group search filter: The LDAP search filter finds groups within the directory.
Group search base DNS: List of base DNS to specify the matching groups’ locations.
Group name attribute: Identifies users within group entries.
Manage group mappings:
When managing group mappings, the following fields will become available. To add a new group mapping, click the Add group mapping button.
- Add a group DN mapping: The name of the key used to extract the ID token.
- Add an organization role mapping: Select the Basic Role mapped to this group.
- Add the organization ID membership mapping: Map the group to an organization ID.
- Define Grafana Admin membership: Enable Grafana Admin privileges to the group.
4. Extra security settings
Additional security settings options for LDAP authentication.
- Enable SSL: This option will enable SSL to connect to the LDAP server.
- Start TLS: Use StartTLS to secure the connection to the LDAP server.
- Min TLS version: Choose the minimum TLS version to use. TLS1.2 or TLS1.3
- TLS ciphers: List the ciphers to use for the connection. For a complete list of ciphers, refer to the Cipher Go library.
- Encryption key and certificate provision specification:
This section allows you to specify the key and certificate for the LDAP server. You can provide the key and certificate in two ways: base-64 encoded or path to files.
- Base-64 encoded certificate:
All values used in this section must be base-64 encoded.
- Root CA certificate content: List of root CA certificates.
- Client certificate content: Client certificate content.
- Client key content: Client key content.
- Path to files:
Path in the file system to the key and certificate files
- Root CA certificate path: Path to the root CA certificate.
- Client certificate path: Path to the client certificate.
- Client key path: Path to the client key.
- Base-64 encoded certificate:
All values used in this section must be base-64 encoded.
4. Persisting the configuration
Once you have configured the LDAP settings, click Save to persist the configuration.
If you want to delete all the changes made through the UI and revert to the configuration file settings, click the three dots menu icon and click Reset to default values.