Logging into Grafana web UI with correct LDAP credentials fails with "Invalid username or password"
search cancel

Logging into Grafana web UI with correct LDAP credentials fails with "Invalid username or password"

book

Article ID: 422193

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

The LDAP Grafana Authentication method is enabled on Healthwatch tile Settings. When attempting to log into Grafana web UI with correct credentials in LDAP server, it complains "Invalid username or password" as show by below image.

And the warning message like "User does not belong in any of the specified LDAP groups" is also observed in file /var/vcap/sys/log/grafana/grafana.log on grafana instance of the Healthwatch deployment. For example,

logger=ldap t=2026-01-06T06:24:16.606008729Z level=info msg="Searching for user's groups" filter="(&(objectClass=posixGroup)(memberUid=adminc))"
logger=ldap t=2026-01-06T06:24:16.607057032Z level=warn msg="User does not belong in any of the specified LDAP groups" username=adminc groups=[......]
logger=authn.service t=2026-01-06T06:24:16.626244041Z level=warn msg="Failed to authenticate request" client=auth.client.form error="[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password: invalid username or password\n[identity.not-found] no user fund: user not found"
logger=context userId=0 orgId=0 uname= t=2026-01-06T06:24:16.62668472Z level=info msg="Bad request" error="[password-auth.failed] failed to authenticate identity: [password-auth.invalid] invalid password: invalid username or password\n[identity.not-found] no user fund: user not found" remote_addr=##.##.##.## traceID=
logger=context userId=0 orgId=0 uname= t=2026-01-06T06:24:16.626892657Z level=info msg="Request Completed" method=POST path=/login status=400 remote_addr=##.##.##.## time_ms=29 duration=29.870013ms size=107 referer=https://grafana.exmaple.com/login handler=/login

Environment

Healthwatch tile

Cause

As described in the Healthwatch documentation, Server group mappings should be configured for mapping LDAP groups to Grafana orgs and roles.

The "User does not belong in any of the specified LDAP groups" warning indicates the login LDAP user doesn't belong to any LDAP group set in Server group mappings section. It could also be caused by the Group search base DNs or Group search filter property not setting properly so that the login user's group could not be searched out. 

Resolution

  • Review the Group search base DNs or Group search filter property on Grafana Authentication pane on Healthwath tile Settings and make sure the login user's LDAP group could be searched out
  • Review the Server group mappings and make sure the login user's LDAP group is included
  • Or update the login user's group attribute in LDAP server to ensure its group is covered by the existing Server group mappings
Powered by Wolken Software