AD integration and email attributes

kodiakf · July 21, 2021, 11:34am

Hi Folks,
Usually when I integrate a web service like Graylog with AD, there are a lot of attribute mapping which I can declare to control things like email address fields etc.

This is great because I can’t control those attributes in AD as I’m not in that department.

With Graylog, I don’t see how I can choose where to pull an email attribute from and that means it’s broken for various users in AD who don’t use the main email attribute but rather ‘mail’.

Is there some hidden area I can tune these aspects of our AD integration for identity?

gsmith · July 22, 2021, 1:18am

Hello,
What version of GL are you using?

kodiakf · July 22, 2021, 1:31am

Hi!
We’re running v4.0.9+b962df8 - freshly installed yesterday.

gsmith · July 22, 2021, 1:45am

I think after version 4.0 Graylog now has Teams/Groups but this is the Enterprise version if its enabled.
If you keep logs under 5GB day I believe its free.
Introduction to Teams Management | Graylog.

EDIT:
Maybe you could adjust your attributes here.

shoothub · July 22, 2021, 8:30am

In Graylog you can’t define attribute mapping for email. It’s hardcoded in code, and first check attribute mail, then rfc822Mailbox and if not found it uses dummy address unknown@unknown.invalid

github.com

Graylog2/graylog2-server/blob/4.0/graylog2-server/src/main/java/org/graylog/security/authservice/ldap/UnboundLDAPConnector.java#L296

    
      
              return createLDAPUser(config, createLDAPEntry(entry, config.userUniqueIdAttribute()));
          }
          
          
public LDAPUser createLDAPUser(UnboundLDAPConfig config, LDAPEntry ldapEntry) {
              final String username = ldapEntry.nonBlankAttribute(config.userNameAttribute());
              return LDAPUser.builder()
                      .base64UniqueId(ldapEntry.base64UniqueId())
                      .accountIsEnabled(findAccountIsEnabled(ldapEntry))
                      .username(username)
                      .fullName(ldapEntry.firstAttributeValue(config.userFullNameAttribute()).orElse(username))
                      .email(ldapEntry.firstAttributeValue("mail").orElse(ldapEntry.firstAttributeValue("rfc822Mailbox").orElse("unknown@unknown.invalid")))
                      .entry(ldapEntry)
                      .build();
          }
          
          
private boolean findAccountIsEnabled(LDAPEntry ldapEntry) {
              final Optional<String> control = ldapEntry.firstAttributeValue("userAccountControl");
          
          
    // No field present. Assume account is enabled
              if (!control.isPresent()) {
                  return true;

system · August 5, 2021, 8:30am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Active Directory different attribute for email tag Graylog Central (peer support)	2	553	July 16, 2018
Unknown attribute issue LDAP integration with Active Directory Graylog Central (peer support)	5	2957	May 10, 2017
[ISSUE] LDAP mapping does not work Graylog Add-ons	2	998	August 13, 2020
AD Integration settings not getting saved Graylog Central (peer support)	6	2722	August 11, 2017
Graylog 4.0 \| LDAP Group changes Graylog Central (peer support)	12	5387	December 24, 2020

AD integration and email attributes

Related topics