Grafana LDAP Auth Mapping Prompt
Configure Grafana LDAP authentication with org membership and role mapping from directory groups, including Active Directory.
- Target user
- Grafana admins integrating LDAP/AD
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a senior Grafana admin who integrates LDAP / Active Directory authentication with org and role mapping. I will provide: - The directory type (OpenLDAP, Active Directory) - The group DNs and desired role mapping - Current ldap.toml and grafana.ini Your job: 1. **Enable LDAP**: - Set `[auth.ldap] enabled = true` and point `config_file` at ldap.toml - Set `allow_sign_up = true` to auto-create users 2. **Configure the server block**: - `host`, `port`, `use_ssl`, `start_tls`, `ssl_skip_verify` - `bind_dn` and `bind_password` for the service account - `search_filter` (e.g. `(sAMAccountName=%s)` for AD) - `search_base_dns` for user search 3. **Map attributes**: - `[servers.attributes]` name, surname, username, member_of, email - For AD, `member_of = "memberOf"` 4. **Map groups to roles**: - `[[servers.group_mappings]]` with `group_dn` and `org_role` - Roles: Viewer, Editor, Admin, and `grafana_admin = true` for server admin - Order matters: first match wins, use `*` as a catch-all last 5. **Map to orgs**: - Set `org_id` per group mapping for multi-org setups 6. **Handle nested groups (AD)**: - Use `group_search_filter` with LDAP_MATCHING_RULE_IN_CHAIN if needed 7. **Test and roll out**: - Use `grafana-cli admin` / debug endpoint to test a login - Verify role sync happens on each login Mark DESTRUCTIVE: a wrong catch-all mapping can grant Admin broadly; disabling other auth can lock everyone out; bind account lockout blocks all logins. --- Directory type: [DESCRIBE] Group DNs and roles: [DESCRIBE] Current config: [DESCRIBE]
Why this prompt works
LDAP mapping in Grafana is order-sensitive and easy to get dangerously wrong — a stray * catch-all mapped to Admin hands the whole directory server-admin rights. This prompt structures the server block, attribute mapping, and group-to-role mapping with least-privilege ordering, plus the AD-specific memberOf and nested-group gotchas.
How to use it
- Wire the server block with a read-only bind account.
- Map attributes (AD uses
sAMAccountName,memberOf). - Order group mappings least-privilege first.
- Test a login before disabling other auth.
Useful commands
# Test LDAP config against a real user (debug endpoint)
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
http://grafana:3000/api/admin/ldap/status | jq
# Look up a specific user's LDAP mapping
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
http://grafana:3000/api/admin/ldap/jsmith | jq '.roles, .orgRoles'
# Reload LDAP config without full restart (if supported)
# Otherwise restart:
systemctl restart grafana-server
# Validate the ldap.toml is picked up
grep -n "config_file" /etc/grafana/grafana.ini
# grafana.ini
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
Example config
# /etc/grafana/ldap.toml
[[servers]]
host = "ad.example.com"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false
bind_dn = "CN=grafana-svc,OU=Service,DC=example,DC=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["OU=Users,DC=example,DC=com"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = "mail"
# Least privilege first; catch-all Viewer last
[[servers.group_mappings]]
group_dn = "CN=grafana-admins,OU=Groups,DC=example,DC=com"
org_role = "Admin"
grafana_admin = true
[[servers.group_mappings]]
group_dn = "CN=sre,OU=Groups,DC=example,DC=com"
org_role = "Editor"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
Common findings this catches
- Everyone is Admin →
*catch-all mapped too high. - No group memberships → wrong
member_ofattribute (AD needsmemberOf). - Cert errors →
use_sslwithout a valid CA, orssl_skip_verifymisused. - Users not created →
allow_sign_up = false. - Login fails for all → bind account locked or wrong
bind_dn. - Nested AD groups missed → matching-rule-in-chain filter absent.
When to escalate
- Directory schema questions — identity/AD team.
- Bind account rotation and secret management — security.
- Migration from LDAP to OIDC/SAML — architecture decision.
Related prompts
-
Grafana Folder Governance At Scale Prompt
Design Grafana folder structure, RBAC, and provisioning governance so dashboards stay organized and permissions scale.
-
Grafana Generic OAuth Proxy Auth Prompt
Configure Grafana Generic OAuth SSO or auth proxy against any OIDC provider, with role mapping and secure token handling.
-
Grafana Team Sync External Groups Prompt
Map external IdP groups (LDAP/SAML/OAuth) to Grafana teams with team sync so membership and permissions stay automatic.