Enable LDAP on Percona Monitoring and Management (PMM)

ldap monitoring and mangementPercona Monitoring and Management (PMM) has been on the road for a while now, and it brings exciting new features and improvements. For those who are not familiar with the tool, PMM allows deep insight into the performance of applications and databases. The most crucial highlight: it is 100% open-source. Also, the source code is present on GitHub.

Back to new features and improvements. One of them, that customers were requesting, was the support for LDAP. This feature finally arrived with PMM version 2 thanks to the new version of Grafana, and I intend to demonstrate in a few steps how to configure it.

The steps below are design-oriented to work on PMM docker-based. Note, in case of a version upgrade, PMM will upgrade the files, and the LDAP settings need to be applied again.

So, let’s start with the steps.


1) Logging into pmm container

2) Now, it is necessary to modify two files. First, the grafana .ini configuration file. It is located in this path:

Find the auth.ldap section and remove the semicolon to enable the parameters:

3) Next, change the LDAP specific configuration file (ldap.toml). It is on this path:

In this file, it is necessary to modify the settings accordingly to the current LDAP configuration.

On the above configuration, LDAP uses the default port for non-SSL. Below,  the user that will perform the first search to verify if the user-provided on Grafana exists or not (in this example, the admin user):

Subsequently, the base search:

To avoid any errors on PMM, I recommend to comment on the attributes that are not being used by LDAP:

And the last part, it is possible to use the LDAP group users to define which can be an admin or only viewer on Grafana:

In this example, groups are disabled.

4-) After the updates, Grafana needs to be restarted. Exit the container and perform a restart:

If everything is ok, access should be ok at this point.

In case it is necessary to debug it, there is an extra step:

Optional-) Edit the /etc/grafana/ldap.toml file and remove the # on the log section:

And restart the pmm container again.

Workaround to Avoid Changes Being Overwritten on PMM Upgrades

It is possible to use the ability of Docker to set environment variables. Grafana allows you to set two environment variables to set LDAP authentication:

They need to be placed when docker run command is executed:

Note that the LDAP file will have to be copied inside the docker container, but when copied, it will resist the upgrade.


Percona is continuously improving PMM, and it is in the discussions to make LDAP authentication configurable through the user interface in the future. It is an excellent addition to one of the features that were commonly requested by customers and the community. Finally, if you have any suggestions or feature requests, please don’t hesitate to reach us!

Useful Resources

Finally, you can reach us through our social networks (Twitter, LinkedIn, Facebook), our forum, or access our material using the links presented below:

Share this post

Leave a Reply