AD/LDAP Authentication with groups, users not found

I am attempting to get Graylog to authenticate off Active Directory using LDAP and am running into issues when I limit my search to people in a specific group. My config is as follows:

SSL and StartTLS enabled.
Test connection to server using bindUser works.


User Search Pattern

Display Name attribute

When I run the login test, I get the response: Binding with empty principal is forbidden and the user is not found. If I remove the “memberOf” section so the search pattern reads: (&(sAMAccountName={0})(objectCategory=person)(objectClass=user)) I still get back Binding with empty principal is forbidden but the user is found no problem.

My issue is, the same query copied and pasted into Active Directory Users and Computers returns users just fine. I have to adjust sAMAccountName={0} to sAMAccountName=validUser of course.

What am I doing wrong? I cannot leave the group membership part out. If I do, anyone with an active directory account in the EMPLOYEE OU can log into Graylog.

Remove objectCategory=person part of query and test.
To restrict Graylog access to designated users use AD groups. I have simple User Search Pattern (&(objectClass=user)(sAMAccountName={0})) and Group Search Base DN OU=ACCOUNTS,OU=CUSTOM,DC=SUBDOMAIN,DC=DOMAIN,DC=NET and Group Search Pattern (&(objectClass=group)(cn=graylog*)). To grant read only access to Graylog I put user in group graylog_read and Graylog admins goes to group graylog_admin. AD groups are mapped to appropriate Graylog groups with Graylog Group mapping.

That isn’t any different than where I was before. This still allows ANYONE with an AD account in the Employee OU to log into Graylog, regardless of group membership. Graylog just creates an account for them with the “Reader” role. I don’t even want them to be able to log in if they aren’t in a specific group.

I tested Your configuration without (objectCategory=person) in User Search Pattern and it works. Testing with user in AD graylog group returns user attributes successfully, testing with user not in graylog group returns error ‘Binding with empty principal is forbidden’.

I removed the (objectCategory=person) and still no good.

That is what I can’t figure out. It SHOULD work on my end but it just doesn’t. No matter what, I cannot get this working.

Are there any log files I can look at to diagnose this? The server.log file doesn’t give me any insight.

Your problem is not with parameter User Search Pattern, but with Search Base DN. Your Search Base DN should point to LDAP tree where can find all your users/groups you use in your ldap filter.

So try to change your Seach Base DN to:

And I should work as expected with your original User Search Pattern.

In my setup I use little advanced LDAP filter:

This is recommended way to search users, because it is cached and faster as you’ve already included:

This parameter allows add to Graylog_users group also another group (not only users):

This disallow blocked users:

Hope this helps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.