error =「Ldap搜索匹配不止一個條目，請檢查您的過濾器設置」與Grafana LDAP

Question

我正在使用Grafana 4.2.0。我正在嘗試將LDAP功能集成到應用程序中。我有一個在LDAP中創建的用戶ldapuser1，但是當我嘗試使用此用戶名登錄到Grafana時，出現錯誤，因爲「error =」Ldap搜索匹配了多個條目，請檢查您的過濾器設置「」

從grafana.log錯誤信息如下：

t=2017-05-26T05:59:28-0700 lvl=eror msg="Error while trying to authenticate user" logger=context userId=0 orgId=0 uname= error="Ldap search matched more than one entry, please review your filter setting" 
t=2017-05-26T05:59:28-0700 lvl=eror msg="Request Completed" logger=context userId=0 orgId=0 uname= method=POST path=/login status=500 remote_addr=127.0.0.1 time_ms=68ns size=53 

請找到ldap.toml文件下面，供大家參考

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini 
# [log] 
verbose_logging = true 

# filters = ldap:debug 

[[servers]] 
# Ldap server host (specify multiple hosts space separated) 
host = "127.0.0.1" 
# Default port is 389 or 636 if use_ssl = true 
port = 389 
# Set to true if ldap server supports TLS 
use_ssl = false 
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS) 
start_tls = false 
# set to true if you want to skip ssl cert validation 
ssl_skip_verify = false 
# set to the path to your root CA certificate or leave unset to use system defaults 
# root_ca_cert = /path/to/certificate.crt 

# Search user bind dn 
bind_dn = "dc=cloudera,dc=com" 
# Search user bind password 
bind_password = 'cloudera' 

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)" 
search_filter = "(uid=%s)" 

# An array of base dns to search through 
search_base_dns = ["dc=cloudera,dc=com"] 

# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups. 
# This is done by enabling group_search_filter below. You must also set member_of= "cn" 
# in [servers.attributes] below. 

# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN 
# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of 
# below in such a way that the user's recursive group membership is considered. 
# 
# Nested Groups + Active Directory (AD) Example: 
# 
# AD groups store the Distinguished Names (DNs) of members, so your filter must 
# recursively search your groups for the authenticating user's DN. For example: 
# 
#  group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)" 
#  group_search_filter_user_attribute = "distinguishedName" 
#  group_search_base_dns = ["ou=groups,dc=grafana,dc=org"] 
# 
#  [servers.attributes] 
#  member_of = "distinguishedName" 

## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available) 
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" 
## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter. 
## Defaults to the value of username in [server.attributes] 
## Valid options are any of your values in [servers.attributes] 
## If you are using nested groups you probably want to set this and member_of in 
## [servers.attributes] to "distinguishedName" 
# group_search_filter_user_attribute = "distinguishedName" 
## An array of the base DNs to search through for groups. Typically uses ou=groups 
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"] 

# Specify names of the ldap attributes your ldap uses 
[servers.attributes] 
name = "ldapuser1" 
surname = "ldapuser1" 
username = "ldapuser1" 
#member_of = "People" 
email = "ldapuser1@cloudera.com" 

# Map ldap groups to grafana org roles 
[[servers.group_mappings]] 
group_dn = "cn=admins,dc=grafana,dc=org" 
org_role = "Admin" 
# The Grafana organization database id, optional, if left out the default org (id 1) will be used 
# org_id = 1 

[[servers.group_mappings]] 
group_dn = "cn=users,dc=grafana,dc=org" 
org_role = "Editor" 

[[servers.group_mappings]] 
# If you want to match all (or no ldap groups) then you can use wildcard 
group_dn = "*" 
org_role = "Viewer" 

還請找到LDAP搜索命令以及

結果如下

ldapsearch -x -b "dc=cloudera,dc=com" | less 

# extended LDIF 
# 
# LDAPv3 
# base <dc=cloudera,dc=com> with scope subtree 
# filter: (objectclass=*) 
# requesting: ALL 
# 

# cloudera.com 
dn: dc=cloudera,dc=com 
dc: cloudera 
objectClass: top 
objectClass: domain 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Hosts, cloudera.com 
dn: ou=Hosts,dc=cloudera,dc=com 
ou: Hosts 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Rpc, cloudera.com 
dn: ou=Rpc,dc=cloudera,dc=com 
ou: Rpc 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Services, cloudera.com 
dn: ou=Services,dc=cloudera,dc=com 
ou: Services 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# netgroup.byuser, cloudera.com 
dn: nisMapName=netgroup.byuser,dc=cloudera,dc=com 
nisMapName: netgroup.byuser 
objectClass: top 
objectClass: nisMap 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Mounts, cloudera.com 
dn: ou=Mounts,dc=cloudera,dc=com 
ou: Mounts 
objectClass: top 
objectClass: organizationalUnit 
associatedDomain: cloudera.com 

# Networks, cloudera.com 
dn: ou=Networks,dc=cloudera,dc=com 
ou: Networks 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# People, cloudera.com 
dn: ou=People,dc=cloudera,dc=com 
ou: People 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Groups, cloudera.com 
dn: ou=Groups,dc=cloudera,dc=com 
ou: Groups 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Netgroup, cloudera.com 
dn: ou=Netgroup,dc=cloudera,dc=com 
ou: Netgroup 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Protocols, cloudera.com 
dn: ou=Protocols,dc=cloudera,dc=com 
ou: Protocols 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# Aliases, cloudera.com 
dn: ou=Aliases,dc=cloudera,dc=com 
ou: Aliases 
objectClass: top 
objectClass: organizationalUnit 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# netgroup.byhost, cloudera.com 
dn: nisMapName=netgroup.byhost,dc=cloudera,dc=com 
nisMapName: netgroup.byhost 
objectClass: top 
objectClass: nisMap 
objectClass: domainRelatedObject 
associatedDomain: cloudera.com 

# ldapuser1, People, cloudera.com 
dn: uid=ldapuser1,ou=People,dc=cloudera,dc=com 
uid: ldapuser1 
cn: ldapuser1 
sn: ldapuser1 
mail: ldapuser1@cloudera.com 
objectClass: person 
objectClass: organizationalPerson 
objectClass: inetOrgPerson 
objectClass: posixAccount 
objectClass: top 
objectClass: shadowAccount 
userPassword:: e2NyeXB0fSQ2JHUxVTE3SnR4JEN1a05HeEZXYmIyOG9NckRyRkpJeEQuR3ZjYmd 
jWXd2WFlrMGtTRE1YZW9zOEZVSVE3dUdYdkxsS3E3aTd5MnVIS1lpSnEzZnU5N0paWmE0SWlZNUcx 
shadowLastChange: 17309 
shadowMin: 0 
shadowMax: 99999 
shadowWarning: 7 
loginShell: /bin/bash 
uidNumber: 502 
gidNumber: 504 
homeDirectory: /home/guests/ldapuser1 

# ldapuser2, People, cloudera.com 
dn: uid=ldapuser2,ou=People,dc=cloudera,dc=com 
uid: ldapuser2 
cn: ldapuser2 
sn: ldapuser2 
mail: ldapuser2@cloudera.com 
objectClass: person 
objectClass: organizationalPerson 
objectClass: inetOrgPerson 
objectClass: posixAccount 
objectClass: top 
objectClass: shadowAccount 
userPassword:: e2NyeXB0fSQ2JFplS3VyRllaJG9VSmVGNktTRThiQWZWem1rVk8wMGNGUjQyUWt 
oT0ZuZVpVc1IzUG51c0R2eXZubXJEN3dDU2tPOC9sb2dIeHRSSGxZVVp3dTlIZXpEd3QxVHhKRjAw 
shadowLastChange: 17309 
shadowMin: 0 
shadowMax: 99999 
shadowWarning: 7 
loginShell: /bin/bash 
uidNumber: 503 
gidNumber: 505 
homeDirectory: /home/guests/ldapuser2 

# ldapuser1, Groups, cloudera.com 
dn: cn=ldapuser1,ou=Groups,dc=cloudera,dc=com 
objectClass: posixGroup 
objectClass: top 
cn: ldapuser1 
userPassword:: e2NyeXB0fXg= 
gidNumber: 504 

# ldapuser2, Groups, cloudera.com 
dn: cn=ldapuser2,ou=Groups,dc=cloudera,dc=com 
objectClass: posixGroup 
objectClass: top 
cn: ldapuser2 
userPassword:: e2NyeXB0fXg= 
gidNumber: 505 

# search result 
search: 2 
result: 0 Success 

# numResponses: 18 
# numEntries: 17 

我使用本地OpenLDAP服務器。我無法弄清楚問題的根源。我是LDAP新手，並且第一次配置它。

Answer 1

您有兩個分別ldapuser1和ldapuser2條目（一個用戶和一個組的每個）。在cn = ldapuser1上搜索時，即使它們具有不同的dns，openldap也無法區分這兩個條目。您需要搜索所有條目中獨一無二的內容。

我看到兩個選項：

1）尋找一個獨特的屬性，如UID。這將找到uid = ldapuser1，ou = People，dc = cloudera，dc = com但不是cn = ldapuser1，ou = Groups，dc = cloudera，dc = com因爲該組沒有uid。

2）改變的搜索過濾器，以僅包含用戶，例如。 （&（objectClass = inetOrgPerson）（cn =％s））

Answer 2

第一個問題似乎是您的Grafana LDAP配置。讓我們從頭到尾瀏覽TOML文件。

綁定請求用於由LDAP服務器發起認證。對於簡單綁定，我們需要用戶的專有名稱（dn）和密碼。由於您希望允許用戶顯示用戶標識符（uid）而不是可分辨名稱，因此Grafana必須通過搜索目錄將uid映射到dn。 bind-dn是指Grafana將用來檢索認證用戶的專有名稱（dn）的用戶帳戶。這絕對不是命名上下文dc=cloudera,dc=com，而是一個現有的用戶條目。

科servers.attributes允許你映射Grafana內部名稱與實際的LDAP屬性類型名稱。我建議以下映射，即使您沒有添加givenName到用戶的條目，但：

name = givenName 
surname = sn 
username = uid 
email = mail 

組映射針對用戶授權。每個group_dn必須引用目錄中的現有用戶組。一個小組的成員被分配一定的預定義的Grafana角色。你的樣本組是沒用的，因爲它們錯過了任何成員屬性。

此外，確保調整group_dn的（...，DC = grafana，DC = ORG）到LDAP上下文（DC = Cloudera公司，DC = COM）。