Not Able to Login in Grafana Using Cloudron LDAP

nebulon

Is this error shown in the UI, are there any error logs in the browser or the app on the server side?

arshsahzad

Hi @nebulon,

Below is the error while I'm trying to login in to Grafana, Actually at the time of setup of Grafana, I did change the default username (admin) and password as to the LDAP user

May 08 20:43:48 ERROR[05-08|15:13:48] Error while trying to authenticate user logger=context userId=0 orgId=0 uname= error="cannot remove last grafana admin" remote_addr=172.71.198.118 traceID=

May 08 20:43:48 ERROR[05-08|15:13:48] Request Completed logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=172.71.198.118 time_ms=166 duration=166.861445ms size=66 referer=https://grafana.example.com/login handler=/login

nebulon

Oh so those user mapping topics are often a mess and its best to not change the username of the pre-setup admin but only set it to a strong password.

If you have not changed the admin password before, can you try user username with password "admin" if that works, then add a new admin in the UI (say with username "admin") then your ldap user will be able to login again, but will get initially demoted to non-admin.

Jan Macenka

Same issues here. I tracked it down somewhat in the Log-Files while restoring to some older backuped versions.

In App-Version v1.16.4 things seemed to be working v1.17 seems to be boroken. However even in v1.16.4 there was this behavior in the logs:

In the more extensive log-files there was this:

And in an earlier version, I found this:

To me this looks like there were some breaking-changes in how LDAP is handled or how required resources are loaded.

@nebulon could you look into that? If required, shoot me a message and I can give access to my instance for further review.

My current "quick fix" is to restore to a backup of at v1.16.4 and disable automatic updates, though this should only be a short-term work-a-round.

girish

@Jan-Macenka The undefined stuff is not an issue, it is just some spurious logs. We already removed them last week. The AWS migration notice is also not an issue. This comes from AWS Module, this is also getting replaced next release.

Would like to debug this further though, because I can't reproduce it with latest grafana atleast.

girish

@Jan-Macenka also, did you change the admin username by any chance?

Jan Macenka

@girish as a fist measure, I changed the password for admin/admin, later I gave Server-Admin Priviledges to my primary LDAP profile and deleted the admin-user as I viewed it only as a potential security-risk. Is there a need to keep this local user around?
Also I activated Support-Access inkl. SSH access, should you want to dig around some more.

nebulon

So the issue is, that the app for some reason demotes the LDAP user after login, while it syncs other properties. And since that user is currently the only admin left, it errors so it is not left without an admin.

For a start you have to add a local admin and then we have to see why the LDAP login demotes the user also.

Jan Macenka

@nebulon I re-created the local admin-user and set it to disabled. Re-ran the upgrade to version v1.17 and the first login afterwards worked. However for some reason the login started failing only some time after the update, so I'll check it over the next days.

Thanks for the ad-hoc debugging! I deactivated remote SSH access again.

Update:

After checking the User-Management, the Permission system appears to have changed because I get notifications of insufficient rights:

Also my Organisations seem to be gone or at the least I lack the rights to view them.

Jan Macenka

I did not finaly figure out what it was but was able to revert back to a backup-state that worked.
Ended up just creating a new Grafana App and manually transfered all settings. Not it appears to be working fine.
So probably I screwed up somewhere but it does not seem to be a bigger Application issue.