Introduction

Grafana login failures can stem from multiple authentication sources: the internal database, LDAP, OAuth providers, or configuration mistakes. The error message "Login failed" or "Invalid username or password" is deliberately generic for security, so you need to check Grafana logs and configuration to find the real cause.

Symptoms

  • Users see "Login failed" or "Invalid username or password" despite correct credentials
  • Admin users cannot access Grafana after an upgrade or migration
  • Login works for some users but fails for others
  • Error appears in Grafana logs: failed to authenticate user or invalid password
  • Password reset emails are not being sent or received

Common Causes

  • The admin password was changed or corrupted during an upgrade
  • Database authentication backend has connection issues
  • LDAP or OAuth configuration changed or certificates expired
  • User account is locked or has insufficient permissions
  • Grafana auth configuration in grafana.ini has invalid settings
  • Password hashing algorithm mismatch between versions

Step-by-Step Fix

For Internal Database Authentication

  1. 1.Check Grafana server logs for the specific authentication error:
  2. 2.```bash
  3. 3.docker logs grafana 2>&1 | grep -i "login|auth|password"
  4. 4.# Or for systemd installations:
  5. 5.journalctl -u grafana-server -n 100 --no-pager | grep -i auth
  6. 6.`
  7. 7.Reset the admin password using the Grafana CLI:
  8. 8.```bash
  9. 9.grafana-cli admin reset-admin-password newpassword123
  10. 10.`
  11. 11.For Docker deployments:
  12. 12.```bash
  13. 13.docker exec -it grafana grafana-cli admin reset-admin-password newpassword123
  14. 14.`
  15. 15.If the reset command fails, update the password directly in the SQLite or PostgreSQL database:
  16. 16.```bash
  17. 17.# For SQLite (default)
  18. 18.sqlite3 /var/lib/grafana/grafana.db "UPDATE user SET password = 'newpassword123', salt = '' WHERE login = 'admin';"
  19. 19.`

For LDAP Authentication Issues

  1. 1.Verify LDAP connectivity and credentials:
  2. 2.```bash
  3. 3.# Test LDAP connection from Grafana server
  4. 4.ldapsearch -x -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com"
  5. 5.`
  6. 6.Check Grafana LDAP configuration in /etc/grafana/ldap.toml:
  7. 7.```toml
  8. 8.[[servers]]
  9. 9.host = "ldap.example.com"
  10. 10.port = 389
  11. 11.use_ssl = true
  12. 12.bind_dn = "cn=grafana,ou=services,dc=example,dc=com"
  13. 13.bind_password = "your-bind-password"
  14. 14.search_filter = "(sAMAccountName=%s)"
  15. 15.search_base_dns = ["dc=example,dc=com"]
  16. 16.`
  17. 17.Enable LDAP debug logging to see detailed connection attempts:
  18. 18.```ini
  19. 19.# In grafana.ini
  20. 20.[log]
  21. 21.level = debug

[log.filters] ldap = debug ```

For OAuth/SSO Issues

  1. 1.Verify OAuth provider endpoints and credentials:
  2. 2.```bash
  3. 3.curl -v https://oauth-provider.example.com/.well-known/openid-configuration
  4. 4.`
  5. 5.Check the OAuth configuration in grafana.ini:
  6. 6.```ini
  7. 7.[auth.google]
  8. 8.enabled = true
  9. 9.client_id = your-client-id
  10. 10.client_secret = your-client-secret
  11. 11.scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
  12. 12.auth_url = https://accounts.google.com/o/oauth2/auth
  13. 13.token_url = https://accounts.google.com/o/oauth2/token
  14. 14.`
  15. 15.After fixing the issue, restart Grafana and test login:
  16. 16.```bash
  17. 17.systemctl restart grafana-server
  18. 18.# Or for Docker:
  19. 19.docker restart grafana
  20. 20.`

Verification

  • Attempt login with the reset or corrected credentials
  • Check Grafana logs for successful authentication entries
  • Verify user permissions and organization membership in the UI
  • Test with multiple user accounts to ensure the fix is comprehensive