I am currently on Graylog 3.14, and I am working my way through upgrading to 4.0, but I saw this in the release notes for 3.3
[BREAKING] Fixing certificate validation for LDAP servers used for authentication
How can I work around this?
Thanks.
Hello @linuxishome, welcome!
The documentation you linked to describes steps to mitigate the risk of breaking. Can you clarify your question?
Please ensure that all certificates used are valid, their common name matches the host part of your configured LDAP server and your local keystore contains all CA/intermediate certs required for validation.
I can’t speak to the validity of your certificate, but here’s some documentation that will get you on the right track for the JKS.
https://docs.graylog.org/en/4.0/pages/configuration/https.html
1 Like
I’m not sure how to check the certificates on my Active Directory server and compare my keystore on the graylog machines.
Then this will be a stretch for you! Congratulations on an opportunity for growth 
The first thing is to check if you are even using LDAPS. Have you confirmed that? If you aren’t then this issue is moot for you and you can move on. If you are, then that document I linked above has instructions for using keytool to check the java keystore being used by Graylog to see what it contains. If you are using HTTPS and the certificate for that is issued by the same domain authenticating users via LDAPS then it’s likely that you already have the root CA certificate in the JKS and in that case as long as the certificate is valid you are good to go.
-
Verify that you’re using LDAPS. If you aren’t, no reason to keep digging – unless you want to enable LDAPS which is good security practice.
-
If you are using LDAPS, are you also using HTTPS to access Graylog? If so, are you using an enterprise CA to issue the certificate securing HTTPS traffic? Is that root CA also servicing LDAPS within the domain? If the answer to all of the above is yes, the root CA certificate is already in the Graylog JKS and as long as it’s valid then you’re probably good to go. Just need to check the JKS using keytool and compare it to the domain certificate to verify.
-
If there are issues with the certificates (a browser warning for an enterprise CA-issued certificate used for HTTPS is a good indicator there might be a problem), you should get with whoever is responsible for managing your directory and/or enterprise CA and ask for help sorting the certificates out.
Also, google is definitely your friend for this stuff. Getting certificates sorted out isn’t intuitive especially across environments and ecosystems but there is a ton of really good information out there to find what you need.
1 Like
How do I check and see if we are using secure LDAP?
1 Like
In Graylog, select “System / Authentication” --> “Authentication”
Here’s an example config:
Title: Active Directory- ldaps://dc01.contoso.com:636/
Description: Migrated from legacy Active Directory configuration.
Server Address: dc01.contoso.com:636
System Username: graylog_ad_binduser@contoso.com
System Password: *************************
Transport Security: tls
Verify Certificates: yes
If you’re using port 636 it’s highly probable it’s LDAPS.
1 Like
Oh, didn’t even see it – the paste says transport security: tls. That’s LDAPS.
1 Like
It looks like we are not using secure LDAP.
I tried upgrading directly from 3.1 to 4.0 and tried to login with one of the current accounts, but it said authentication denied. Do I have to upgrade by going through each version?
@linuxishome, do you have the free enterprise license (for less than 5G/day)? Active directory authentication was removed from the community version (without enterprise license) starting with 4.0
1 Like
Yes, we have the free enterprise license.
Then you just need to log in as the admin user and update your AD configuration. It is inactivated by default after the upgrade. There’s more information in the v4 upgrade documentation.
1 Like
Thanks, That seems to have worked.
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.