LDAP multiple group_search_base_dns not respected

[yesoreyeram]

What happened:

When using multiple group_search_base_dns in LDAP.toml, only the first entry in that array is used.

I confirmed this by swapping the order of the entries. Whatever the order, only the first is considered.

After enabling the logging, it does show groups from only first entry.

Similar issue reported earlier in this grafana community page

Environment:

• Grafana version: 6.x
• OS Grafana is installed on: Ubuntu 16.04
• User OS & Browser: Chrome

[markelog]

Hi there!

Grafana version: 6.x

Can you clarify that bit? Which version specifically do you use? Or it's just any 6.x?

[yesoreyeram]

Hi @markelog Any 6.x version.. ( I doubt the exists in 5.x as well..)

[markelog]

Gotcha! Thanks :)

[markelog]

We are now refactoring LDAP logic, so I'm hoping to check this issue as well

[yesoreyeram]

Hi @markelog . Thanks for the update.

We would like to see some enhancements as well.

• Automatically refresh LDAP settings whenever LDAP config update. Currently we need to restrart grafana
• Mapping of multiple orgs for any group_dn. Currently if we want to provide access to multiple org, we need multiple entires for the same group_dn. So org_id property should be kind of array
• LDAP toml should be moved to provisioning folder like dashboards. Also there should be some UI to update LDAP configurations at runtime

QQ : Is there any llimitations in the number of mappings we can configure in LDAP? In large companies, we used to have 30 to 50 orgs one for each team. Each org have 5-10 viewer AD groups and couple of editor AD groups. So it is painful to maintain a big LDAP.toml file.

PS: Please don't let me down by saying **These featrues will be available in commercial / paid version" 😄

[markelog]

Requested a feedback from our grafana enterprise master @xlson about this :).
But I think those are very good suggestions!

Is there any llimitations in the number of mappings we can configure in LDAP?

I don't think so, do you have any particular issues with it?

So it is painful to maintain a big LDAP.toml file.

Mm, do you have any suggestions in mind on how to improve it?

How many users in total are we talking about?

PS: Please don't let me down by saying **These featrues will be available in commercial / paid version" 😄

There is no plans like that, and those features do not look like enterprise ones to me :).
Btw, we are really (like really) conscious on what to put to enterprise version of grafana

[yesoreyeram]

Hi @markelog . Thanks for the response.

We have 1000+ plus users spread across 56 Orgs/teams. Each grafana org have 4 to 10 ldap mappings.

Mm, do you have any suggestions in mind on how to improve it?

LDAP config file may be reconfigured somthing like this..

---
- org_id : 1
  admins :
    - group_dn1
    - group_dn2
  editors :
    - group_dn3
    - group_dn4
  viewers :
    - group_dn5
    - group_dn6
- org_id : 2
  admins :
    - group_dn2
    - group_dn3
  editors :
    - group_dn6
    - group_dn7
  viewers :
    - group_dn1
    - group_dn8

or something like this

---
- group_dn : group_dn1
  admins_of : 
  - 1
  - 3
  editors_of:
  - 2
  viewers_of:
  - *
- group_dn : special_group
  editors_of : 
  - *
- group_dn : more_special_group
  admins_of : 
  - *

whichever works well..

[markelog]

We have 1000+ plus users spread across 56 Orgs/teams. Each grafana org have 4 to 10 ldap mappings.

Thanks for the numbers! We are currently doing benchmarks with LDAP stuff, so it's very useful

LDAP config file may be reconfigured somthing like this..

Interesting, looks concise to me, we would have to consider the back-compat tho

Also, this -

Automatically refresh LDAP settings whenever LDAP config update. Currently we need to restrart grafana

Will be available in 6.2 (we are not yet documented it tho). In the the nutshell, you would need to send a POST request to /api/admin/ldap/reload and the LDAP config should be reloaded

[xlson]

Thanks for reporting this issue. I think @markelog has responded to all of your questions already so not much to say.

Better support for mapping multiple orgs in the toml file is tracker here #2608

[cameronkerrnz]

Adding a data-point to this; I have an AD forest that I'm querying, and based on the documentation I have done the following with Grafana 6.5.1 (grafana/grafana:latest on Docker Hub)

group_search_filter_user_attribute = "distinguishedName"
group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"

# This works, but takes significantly longer (4 seconds) due the number and
# size of the various groups it could find

group_search_base_dns = ["DC=example,DC=com"]

# This however, will only find groups in the first entry

## group_search_base_dns = [
##    "OU=SomeTeam,OU=SomeDept,OU=Groups,DC=example,DC=com",
##    "OU=Groups,OU=Stuff,DC=example,DC=com",
##    "OU=Foo,OU=Groups,DC=example,DC=com"
##    ]