January 17, 2024

I’ve been making a number of changes in my local environment (more on that in a few days I think), and I ran across a problem that is, as far as I can tell, fairly undocumented. To wit: if I have an LDAP user in Grafana, and I want to convert it to using Grafana’s internal authentication, what do I do?

Yeah. Google was no help…

The Solution

WARNING: Use this information AT YOUR OWN RISK! I make no promises as to whether or not it will mess up your Grafana installation! ALSO, MAKE SURE YOU HAVE A BACKUP AND A NON-LDAP ADMIN USER AVAILABLE BEFORE YOU START!

Fortunately, it’s fairly easy to deal with this. The way Grafana seems to work is fairly simple: it stores stuff about users in a SQL database in, among others, the user and user_auth tables. The user table is fairly straightforward: it’s the main user table in Grafana.

The second one, user_auth, is the one we want. Looking at that table reveals an LDAP auth record for each LDAP user. Removing that record will remove the LDAP auth for that user and revert them to the internal authenticator.

So basically, you log into grafana’s database and find the user’s id (replacing the all-caps things as appropriate):

select id from user where login = 'USERNAME';

This will hand back the ID of the user you’re trying to convert. Then delete the associated user_auth record:

delete from user_auth where user_id = USER_ID_FROM_ABOVE;

And finally, use your admin user to reset the user’s password. From there, your user should be able to log in normally, just without ldap.

You might want to save a copy of the data from the user_auth table in case you ever want to restore their LDAP connection though…

Hopefully this will help someone out there. Enjoy!