Introduction

Grafana uses a service account (bind DN) to authenticate users against LDAP/Active Directory. When the service account password expires -- typically due to Active Directory password expiration policies -- all LDAP authentication fails. This blocks all LDAP users from logging into Grafana, causing a complete authentication outage for teams relying on LDAP identity.

Symptoms

  • All LDAP users receive Invalid username or password error on login
  • Grafana logs show LDAP Auth failed: bind failed: LDAP Result Code 49 "Invalid Credentials"
  • Grafana admin (local) account still works, confirming the issue is LDAP-specific
  • Active Directory shows the Grafana service account password has expired
  • Error message: ldap: failed to bind: 49 80090308: LdapErr: DSID-0C09042F

Common Causes

  • Active Directory password expiration policy applying to the service account
  • Service account not configured with "Password never expires" flag
  • Automated password rotation not configured for the Grafana LDAP bind account
  • Account lockout policy triggering after multiple failed bind attempts with expired password
  • Service account created with default domain password policy applied

Step-by-Step Fix

  1. 1.Confirm the LDAP bind failure from Grafana logs: Verify the authentication error.
  2. 2.```bash
  3. 3.# Enable LDAP debug logging
  4. 4.# grafana.ini
  5. 5.[log]
  6. 6.filters = ldap:debug

# Check logs journalctl -u grafana-server | grep -i "ldap|bind" ```

  1. 1.Reset the service account password in Active Directory: Update the expired password.
  2. 2.```powershell
  3. 3.# Run on Active Directory server
  4. 4.Set-ADAccountPassword -Identity "grafana-svc" -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewSecurePass123!" -Force)
  5. 5.Set-ADUser -Identity "grafana-svc" -PasswordNeverExpires $true
  6. 6.`
  7. 7.Update the Grafana LDAP configuration with the new password: Apply the new credentials.
  8. 8.```toml
  9. 9.# /etc/grafana/ldap.toml
  10. 10.[[servers]]
  11. 11.host = "ad.example.com"
  12. 12.port = 636
  13. 13.use_ssl = true
  14. 14.bind_dn = "CN=grafana-svc,OU=Service Accounts,DC=example,DC=com"
  15. 15.bind_password = "NewSecurePass123!"
  16. 16.`
  17. 17.Restart Grafana to apply the LDAP configuration changes: Reload the LDAP connection.
  18. 18.```bash
  19. 19.systemctl restart grafana-server
  20. 20.`
  21. 21.Test LDAP authentication: Verify a user can log in.
  22. 22.```bash
  23. 23.# Use Grafana's LDAP test tool
  24. 24.grafana-cli admin ldap-test --username testuser
  25. 25.`

Prevention

  • Configure LDAP service accounts with "Password never expires" in Active Directory
  • Store the bind password in a secrets manager and use automated rotation with Grafana config reload
  • Monitor LDAP authentication failure rate and alert when it exceeds the normal threshold
  • Maintain a fallback local admin account for emergency access during LDAP outages
  • Document the LDAP service account details in a runbook with password rotation procedures
  • Test LDAP connectivity after any Active Directory password policy changes