profile
viewpoint

issue commentgrafana/grafana

LDAP authentication doesn't work with userPrincipalName as username

We have a situation where our sAMAccountName is a different username than what is included in userPrincipalName. I was trying to allow people to login with either, and using a dynamic bind_dn, but I could not get this to work. I can however get this to work for either case.

Login works using sAMAccountName (eg. pckls/password):

grafana::ldap_cfg:
  servers:
    - host: 'ad.example.org'
      bind_dn: 'DOMAIN\%s'
      search_filter: "(sAMAccountName=%s)"
      search_base_dns: ["dc=example,dc=org"]
  'servers.attributes':
    name: 'givenName'
    surname: 'sn'
    username: 'sAMAccountName'
    member_of: 'memberOf'
    email: 'mail'

Login works using userPrincipalName (eg. tom.pickles@example.org/password):

grafana::ldap_cfg:
  servers:
    - host: 'ad.example.org'
      bind_dn: '%s'
      search_filter: "(userPrincipalName=%s)"
      search_base_dns: ["dc=example,dc=org"]
  'servers.attributes':
    name: 'givenName'
    surname: 'sn'
    username: 'sAMAccountName'
    member_of: 'memberOf'
    email: 'mail'

The config isn't direct from the TOML file it's from Hiera but you get the point.

Anyway just thought I would mention it as I did get userPrincipalName working, just not as well as sAMAccountName.

kennethmac2000

comment created time in 4 months

more