👥 Authentication

Grafana LDAP & Active Directory Authentication on Windows

Configure Grafana to authenticate users against Windows Active Directory or any LDAP server. Covers ldap.toml setup, group-to-role mapping, debugging LDAP connections and common AD configuration patterns.

Prerequisites

Grafana running on Windows (see Install as Service)
Access to an Active Directory domain controller or LDAP server
A read-only service account in AD for LDAP bind (recommended)
Grafana OSS supports basic LDAP; Grafana Enterprise adds team sync and enhanced LDAP features

LDAP authentication is available in Grafana OSS. For Active Directory group sync to Grafana Teams, Grafana Enterprise is required.

Step 1 — Enable LDAP in grafana.ini

[auth.ldap]
enabled = true
config_file = C:\Program Files\GrafanaLabs\grafana\conf\ldap.toml
allow_sign_up = true

Restart Grafana after editing grafana.ini.

Step 2 — Create ldap.toml for Active Directory

Create C:\Program Files\GrafanaLabs\grafana\conf\ldap.toml with the following content. Adjust values for your domain:

[[servers]]
# Domain controller address and port (389 LDAP, 636 LDAPS)
host = "dc01.yourdomain.local"
port = 389
use_ssl = false
start_tls = false
ssl_skip_verify = false

# Bind DN — use a dedicated read-only service account
bind_dn = "CN=svc-grafana,OU=ServiceAccounts,DC=yourdomain,DC=local"
bind_password = "ServiceAccountPassword"

# Base DN for user search
search_base_dns = ["OU=Users,DC=yourdomain,DC=local"]

# Filter to match users (objectClass=person for AD)
search_filter = "(&(objectClass=person)(sAMAccountName=%s))"

# Attribute mappings
[servers.attributes]
name      = "givenName"
surname   = "sn"
username  = "sAMAccountName"
member_of = "memberOf"
email     = "mail"

# Group to Grafana role mappings
[[servers.group_mappings]]
group_dn = "CN=Grafana-Admins,OU=Groups,DC=yourdomain,DC=local"
org_role = "Admin"

[[servers.group_mappings]]
group_dn = "CN=Grafana-Editors,OU=Groups,DC=yourdomain,DC=local"
org_role = "Editor"

[[servers.group_mappings]]
# Fallback — any authenticated AD user gets Viewer role
group_dn = "*"
org_role = "Viewer"

Secure LDAP (LDAPS) on port 636

For production, use LDAPS to encrypt directory queries:

[[servers]]
host = "dc01.yourdomain.local"
port = 636
use_ssl = true
start_tls = false

# If using a private CA, specify the root cert:
root_ca_cert = "C:\certs\your-ca.crt"

# Or skip verification for internal CAs (not recommended for production):
# ssl_skip_verify = true

Step 3 — Restart and test

# Restart Grafana to load new LDAP config
Restart-Service -Name "Grafana"

# Test LDAP login from the Grafana CLI
cd "C:\Program Files\GrafanaLabs\grafanain"
.\grafana-cli.exe admin user-manager ldap-test --name "testuser"

Try logging in to Grafana with an Active Directory username (just the username, not the full UPN). If login fails, check the Grafana log:

Get-Content "C:\Program Files\GrafanaLabs\grafana\data\log\grafana.log" -Tail 30 | Select-String "ldap"

Troubleshooting LDAP

Enable LDAP debug logging

[log]
filters = ldap:debug

Common errors

Invalid credentials: Check bind_dn format — use full Distinguished Name, not UPN. Verify the bind password.
No such object: The search_base_dns path doesn't exist. Verify the OU path in Active Directory Users and Computers.
Connection refused: Port 389 or 636 is blocked. Add a Windows Firewall outbound rule or check AD firewall settings.
User logs in but gets wrong role: Check group_mappings — the group DN must be the full Distinguished Name of the AD group.

Test LDAP connectivity from PowerShell

# Test LDAP port is reachable
Test-NetConnection -ComputerName dc01.yourdomain.local -Port 389

# Basic LDAP query using .NET
$searcher = New-Object DirectoryServices.DirectorySearcher
$searcher.SearchRoot = "LDAP://DC=yourdomain,DC=local"
$searcher.Filter = "(sAMAccountName=testuser)"
$result = $searcher.FindOne()
$result.Properties