How to configure LDAP authentication in Grafana

Configuring LDAP authentication lets a self-hosted Grafana server accept directory usernames and passwords instead of only local Grafana accounts. Directory login keeps password policy and account lifecycle in the LDAP server while Grafana still controls dashboards, folders, data sources, and organization roles.

Packaged Linux installs read LDAP settings through two configuration layers. /etc/grafana/grafana.ini enables the LDAP authenticator, and /etc/grafana/ldap.toml defines the directory host, bind account, user search, attributes, and group mappings.

Debian, Ubuntu, and RPM package installs commonly run as the grafana-server systemd service with configuration under /etc/grafana. Restart Grafana after changing /etc/grafana/ldap.toml because Grafana reads the LDAP file during startup, and the first successful LDAP login creates the Grafana user when allow_sign_up is enabled.

Related: How to install Grafana on Ubuntu
Related: How to configure HTTPS for Grafana

Steps to configure Grafana LDAP authentication:

  1. Collect the LDAP directory values before editing Grafana.

    Prepare the directory hostname, encrypted port, bind DN, bind password, user search filter, user search base, group DNs, and the LDAP attributes that hold username, email, name, and group membership. The sample values use ldap.example.net and dc=example,dc=net placeholders.

  2. Open the Grafana main configuration file. 
    $ sudoedit /etc/grafana/grafana.ini
  3. Enable LDAP authentication in Grafana.
    /etc/grafana/grafana.ini
    [auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true

    Set allow_sign_up to false only when matching Grafana users already exist. With true, Grafana creates the local user after successful LDAP authentication.

  4. Open the LDAP-specific configuration file. 
    $ sudoedit /etc/grafana/ldap.toml
  5. Add the LDAP server, attribute, and group mapping settings.
    /etc/grafana/ldap.toml
    servers = [
  { host = "ldap.example.net", port = 636, use_ssl = true, start_tls = false, ssl_skip_verify = false, bind_dn = "cn=grafana-reader,ou=service-accounts,dc=example,dc=net", bind_password = "replace-with-bind-password", search_filter = "(uid=%s)", search_base_dns = ["ou=people,dc=example,dc=net"], attributes = { name = "givenName", surname = "sn", username = "uid", member_of = "memberOf", email = "mail" }, group_mappings = [{ group_dn = "cn=grafana-admins,ou=groups,dc=example,dc=net", org_role = "Admin", grafana_admin = true }, { group_dn = "cn=grafana-editors,ou=groups,dc=example,dc=net", org_role = "Editor" }, { group_dn = "*", org_role = "Viewer" }] }
]

    For Active Directory, the search filter often uses (sAMAccountName=%s) and the email attribute often uses mail. For STARTTLS on port 389, keep use_ssl enabled and set start_tls to true.

  6. Set the LDAP file group to the Grafana service group. 
    $ sudo chown root:grafana /etc/grafana/ldap.toml
  7. Limit the LDAP file permissions to root and Grafana. 
    $ sudo chmod 0640 /etc/grafana/ldap.toml

    The file contains a bind password unless the value is moved to Grafana environment-variable expansion such as ${LDAP_BIND_PASSWORD}. Do not make /etc/grafana/ldap.toml world-readable.

  8. Restart the Grafana service. 
    $ sudo systemctl restart grafana-server

    Related: How to manage the Grafana service with systemctl

  9. Confirm that Grafana is active after the restart. 
    $ sudo systemctl is-active grafana-server
active
  10. Confirm that Grafana loaded the LDAP file. 
    $ sudo journalctl --unit=grafana-server --grep='LDAP enabled' --no-pager
Jun 19 22:25:28 grafana.example.net grafana[1428]: logger=ldap level=info msg="LDAP enabled, reading config file" file=/etc/grafana/ldap.toml

    This log line appears when LDAP is enabled and Grafana can read the configured /etc/grafana/ldap.toml path.

  11. Sign in to Grafana with an LDAP username and password.
  12. Look up the LDAP-created user from a Grafana admin account. 
    $ curl -sS -u admin https://grafana.example.net/api/users/lookup?loginOrEmail=alice
Enter host password for user 'admin':
{"id":2,"email":"alice@example.net","name":"Alice Example","login":"alice","orgId":1,"isGrafanaAdmin":false,"authLabels":["LDAP"]}

    Replace alice with a user who has already signed in once. The authLabels field shows LDAP when the account came through LDAP authentication.