I am attempting to get Graylog to authenticate off Active Directory using LDAP and am running into issues when I limit my search to people in a specific group. My config is as follows:
Server Address:SUBDOMAIN.DOMAIN.NET
SSL and StartTLS enabled.
Test connection to server using bindUser works.
Search Base DN:OU=EMPLOYEE,OU=ACCOUNTS,OU=CUSTOM,DC=SUBDOMAIN,DC=DOMAIN,DC=NET
User Search Pattern (&(sAMAccountName={0})(objectCategory=person)(objectClass=user)(memberOf=CN=GRAYLOG,OU=GRAYLOG,OU=ROLES,OU=CUSTOM,DC=SUBDOMAIN,DC=DOMAIN,DC=NET))
Display Name attribute displayName
When I run the login test, I get the response: Binding with empty principal is forbidden and the user is not found. If I remove the “memberOf” section so the search pattern reads: (&(sAMAccountName={0})(objectCategory=person)(objectClass=user)) I still get back Binding with empty principal is forbidden but the user is found no problem.
My issue is, the same query copied and pasted into Active Directory Users and Computers returns users just fine. I have to adjust sAMAccountName={0} to sAMAccountName=validUser of course.
What am I doing wrong? I cannot leave the group membership part out. If I do, anyone with an active directory account in the EMPLOYEE OU can log into Graylog.
Remove objectCategory=person part of query and test.
To restrict Graylog access to designated users use AD groups. I have simple User Search Pattern(&(objectClass=user)(sAMAccountName={0})) and Group Search Base DNOU=ACCOUNTS,OU=CUSTOM,DC=SUBDOMAIN,DC=DOMAIN,DC=NET and Group Search Pattern (&(objectClass=group)(cn=graylog*)). To grant read only access to Graylog I put user in group graylog_read and Graylog admins goes to group graylog_admin. AD groups are mapped to appropriate Graylog groups with Graylog Group mapping.
That isn’t any different than where I was before. This still allows ANYONE with an AD account in the Employee OU to log into Graylog, regardless of group membership. Graylog just creates an account for them with the “Reader” role. I don’t even want them to be able to log in if they aren’t in a specific group.
I tested Your configuration without (objectCategory=person) in User Search Pattern and it works. Testing with user in AD graylog group returns user attributes successfully, testing with user not in graylog group returns error ‘Binding with empty principal is forbidden’.
Your problem is not with parameter User Search Pattern, but with Search Base DN. Your Search Base DN should point to LDAP tree where can find all your users/groups you use in your ldap filter.
So try to change your Seach Base DN to: OU=CUSTOM,DC=SUBDOMAIN,DC=DOMAIN,DC=NET
And I should work as expected with your original User Search Pattern.
In my setup I use little advanced LDAP filter: (&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=Graylog_users,CN=Users,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
This is recommended way to search users, because it is cached and faster as you’ve already included: (objectCategory=person)(objectClass=user)
This parameter allows add to Graylog_users group also another group (not only users): memberOf:1.2.840.113556.1.4.1941:=CN=Graylog_users,CN=Users,DC=domain,DC=com
This disallow blocked users: !(userAccountControl:1.2.840.113556.1.4.803:=2)
