Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Grafana Difficulty: Advanced ClaudeChatGPT

Grafana LDAP Auth Mapping Prompt

Configure Grafana LDAP authentication with org membership and role mapping from directory groups, including Active Directory.

Target user
Grafana admins integrating LDAP/AD
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior Grafana admin who integrates LDAP / Active Directory authentication with org and role mapping.

I will provide:
- The directory type (OpenLDAP, Active Directory)
- The group DNs and desired role mapping
- Current ldap.toml and grafana.ini

Your job:

1. **Enable LDAP**:
   - Set `[auth.ldap] enabled = true` and point `config_file` at ldap.toml
   - Set `allow_sign_up = true` to auto-create users
2. **Configure the server block**:
   - `host`, `port`, `use_ssl`, `start_tls`, `ssl_skip_verify`
   - `bind_dn` and `bind_password` for the service account
   - `search_filter` (e.g. `(sAMAccountName=%s)` for AD)
   - `search_base_dns` for user search
3. **Map attributes**:
   - `[servers.attributes]` name, surname, username, member_of, email
   - For AD, `member_of = "memberOf"`
4. **Map groups to roles**:
   - `[[servers.group_mappings]]` with `group_dn` and `org_role`
   - Roles: Viewer, Editor, Admin, and `grafana_admin = true` for server admin
   - Order matters: first match wins, use `*` as a catch-all last
5. **Map to orgs**:
   - Set `org_id` per group mapping for multi-org setups
6. **Handle nested groups (AD)**:
   - Use `group_search_filter` with LDAP_MATCHING_RULE_IN_CHAIN if needed
7. **Test and roll out**:
   - Use `grafana-cli admin` / debug endpoint to test a login
   - Verify role sync happens on each login

Mark DESTRUCTIVE: a wrong catch-all mapping can grant Admin broadly; disabling other auth can lock everyone out; bind account lockout blocks all logins.

---

Directory type: [DESCRIBE]
Group DNs and roles: [DESCRIBE]
Current config: [DESCRIBE]

Why this prompt works

LDAP mapping in Grafana is order-sensitive and easy to get dangerously wrong — a stray * catch-all mapped to Admin hands the whole directory server-admin rights. This prompt structures the server block, attribute mapping, and group-to-role mapping with least-privilege ordering, plus the AD-specific memberOf and nested-group gotchas.

How to use it

  1. Wire the server block with a read-only bind account.
  2. Map attributes (AD uses sAMAccountName, memberOf).
  3. Order group mappings least-privilege first.
  4. Test a login before disabling other auth.

Useful commands

# Test LDAP config against a real user (debug endpoint)
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  http://grafana:3000/api/admin/ldap/status | jq

# Look up a specific user's LDAP mapping
curl -s -H "Authorization: Bearer $GRAFANA_TOKEN" \
  http://grafana:3000/api/admin/ldap/jsmith | jq '.roles, .orgRoles'

# Reload LDAP config without full restart (if supported)
# Otherwise restart:
systemctl restart grafana-server

# Validate the ldap.toml is picked up
grep -n "config_file" /etc/grafana/grafana.ini
# grafana.ini
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

Example config

# /etc/grafana/ldap.toml
[[servers]]
host = "ad.example.com"
port = 636
use_ssl = true
start_tls = false
ssl_skip_verify = false
bind_dn = "CN=grafana-svc,OU=Service,DC=example,DC=com"
bind_password = "${LDAP_BIND_PASSWORD}"
search_filter = "(sAMAccountName=%s)"
search_base_dns = ["OU=Users,DC=example,DC=com"]

[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = "mail"

# Least privilege first; catch-all Viewer last
[[servers.group_mappings]]
group_dn = "CN=grafana-admins,OU=Groups,DC=example,DC=com"
org_role = "Admin"
grafana_admin = true

[[servers.group_mappings]]
group_dn = "CN=sre,OU=Groups,DC=example,DC=com"
org_role = "Editor"

[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"

Common findings this catches

  • Everyone is Admin* catch-all mapped too high.
  • No group memberships → wrong member_of attribute (AD needs memberOf).
  • Cert errorsuse_ssl without a valid CA, or ssl_skip_verify misused.
  • Users not createdallow_sign_up = false.
  • Login fails for all → bind account locked or wrong bind_dn.
  • Nested AD groups missed → matching-rule-in-chain filter absent.

When to escalate

  • Directory schema questions — identity/AD team.
  • Bind account rotation and secret management — security.
  • Migration from LDAP to OIDC/SAML — architecture decision.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week