How to use LDAP Authentication with Grafana and Wamp for Single Sign On?

2
votes

I am trying to add single sign on for grafana using LDAP, I have come across Grafana documentation for LDAP but I did not understand.

Can I get Single Sign On feature using LDAP?

If yes, Can somebody give me a step by step procedure to follow to setup single sign on using ldap and grafana.

Grafana Version : 5.2.1 OS: WINDOWS

Update 1

I have been able to configure LDAP with grafana. Now I'm trying to integrate LDAP with wamp for SSO. In apache error log file I'm getting this error auth_ldap authenticate: user username authentication failed; URI /grafana/ [LDAP: ldap_simple_bind() failed][Invalid DN Syntax].

My apache config file.

<VirtualHost *:80>
  ServerName localhost
  RewriteEngine on
  ErrorLog "logs/authproxy-error_log"
  CustomLog "logs/authproxy-access_log" common
  <Location "/grafana/">
        LDAPReferrals off
        AuthType Basic
        AuthName GrafanaAuthProxy
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://localhost:389/dc=maxcrc,dc=com?cn,ou?sub"
        AuthLDAPBindDN "cn=Manager,dc=maxcrc,dc=com"
        AuthLDAPBindPassword "password"
        AuthLDAPGroupAttributeIsDN off
        Require ldap-filter ldapsettingshere
        AuthLDAPMaxSubGroupDepth 1
        RequestHeader unset Authorization
        Require valid-user
  </Location>   
  <Proxy *>
        RewriteEngine On
        RewriteRule .* - [E=PROXY_USER:%{LA-U:REMOTE_USER},NS]
        RequestHeader set X-WEBAUTH-USER "%{PROXY_USER}e"
  </Proxy> 
  RequestHeader unset Authorization
  ProxyRequests Off
  ProxyPass /grafana/ http://localhost:3000/
  ProxyPassReverse /grafana/ http://localhost:3000
</VirtualHost>

Update 2

Able to resolve the issue by changing the bindURL and bindDN.

1
ldapsingle-sign-onwampopenldapgrafana
Can you describe the problem you are having and the version of Grafana you are using?Phil
You may not have the correct logging level set. In you defaults ini file under [log] set mode = console file and level = error. See if that logs an error to either the console or you logging file. You'll should restart the grafana server too.Phil
Since the question is tagged with [openldap] I'd suggest to also look if some LDAP requests from Grafana appear in the OpenLDAP logs.Michael Ströder
I'm not sure so I had a quick google on [Invalid DN Syntax] and it might be that your bind DN might be in the wrong format. Here's a serverfault link that might help serverfault.com/questions/616698/… But I'm guessing @MichaelStröder would be a better person to ask.Phil
I've answered this herein: Reverse proxy authentication using LDAP in WAMP is failingMichael Ströder

1 Answers

3
votes

I have been able to do SSO by following these steps.

  1. Configuring LDAP with Grafana by following steps in grafana documentation
  2. Disabling the grafana login page by using Apache’s auth work together with Grafana’s AuthProxy documenation
  3. Integrating LDAP with Apache for reverse proxy authentication by modifying httpd.conf file as mentioned above
  4. Disabled reverse proxy authentication pop up by passing username and password into the url in the script.

With these steps I have been able to get SSO functionality.