AD auth error on graylog setup

When trying to configure authentication via active directory I get an error screen in the graylog.
This error is displayed on the web interface
“Cannot convert undefined or null to object”

And in the server log this:

2020-07-27T11:18:31.927-03:00 ERROR [AnyExceptionClassMapper] Unhandled exception in REST resource
java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor.
at ~[graylog.jar:?]
at ~[graylog.jar:?]
at ~[graylog.jar:?]
at sun.reflect.GeneratedMethodAccessor777.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke( ~[?:1.8.0_252]
at java.lang.reflect.Method.invoke( ~[?:1.8.0_252]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke( ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$ ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke( ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch( ~[graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch( ~[graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke( ~[graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply( ~[graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply( ~[graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$ [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$ [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$ [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process( [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process( [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process( [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope( [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process( [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle( [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service( [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$ [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$ [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker( [?:1.8.0_252]
at java.util.concurrent.ThreadPoolExecutor$ [?:1.8.0_252]
at [?:1.8.0_252]
Caused by:
at ~[graylog.jar:?]
at ~[graylog.jar:?]
at ~[graylog.jar:?]
… 28 more

Operating system: Centos 7
Graylog version: 3.3.2 + ade4779
Java: 1.8.0_252

Please post your LDAP configuration…

Server type: Active Directory
Server Address: ldap://
System Username: grafana@dc.local
Connection validation occurs normally

Search Base DN DC=DC,DC=local
Display Name attribute displayName
User Search Pattern (sAMAccountName=%s) or (&(objectClass=user)(sAMAccountName={0}))
I’ve tried these two ways.
If I try with that value (& (objectClass = user) (sAMAccountName = {0}))
I get this error “Binding with empty principal is forbidden”

If I try to use (sAMAccountName =% s) *, when I validate the login, at the end of the page, it changes to the page that something is wrong and returns the error “Cannot convert undefined or null to object”

Display Name attribute displayName

Hey @cardosocristian,

Here’s our working configuration for comparison:

Server type: Active Directory
Server Address: ldap://
System Username:

Search Base DN: ou=enterprise,dc=contoso,dc=com
Display Name attribute displayName
User Search Pattern (&(memberof=CN=Graylog Admins,OU=Enterprise Security Groups,OU=Enterprise,DC=contoso,DC=com)(sAMAccountName={0}))

Does the graylog user in AD need administrator permission?

Ours is just a regular domain user.

I have been trying a variety of combinations of your configurations above and have been unable to reproduce your error. I did find a couple of threads talking about the same issue, though. Do either of the following apply?

A common theme mentioned by @jan is a problem with group nesting.

  1. I have similar error, if I put username in format in section Login test. Try to use only username without ( in first field in this section. Also it’s better to save settings before testing.
  2. Don’t try to use LDAP without enctyption, because passwords are transfered completely as plain text. Better is to either use LDAPS (check SSL and use port 636) or LDAP using StartTLS (Check StartTLS and port 389).