Binding with empty principal is forbidden

v_2nas · March 1, 2018, 6:55am

Hi folks,

I am configuring Active Directory Authentication with graylog.
Connection to the domain controller is working.
All parameter seems to be correct
2018-03-01%2014_51_58-Graylog%20-%20LDAP%20Settings
LDAP group mapping shows the group GrayLogRO set to Reader.
When i use the account to test. It says the user is found but I get an error on login attempt.

2018-03-01%2014_54_26-Graylog%20-%20LDAP%20Settings

Any idea what i might be doing wrong. I am on latest version of graylog.

jan · March 1, 2018, 8:16am

Is that a group inside a group?

That is currently not working, see for reference:

https://github.com/Graylog2/graylog2-server/issues/1436

v_2nas · March 1, 2018, 10:29pm

Hi Jan,

It’s not a nested group but group is at few ou level down, would that be a cause?

jan · March 2, 2018, 8:20am

maybe - I did not know.

It might be a bug, but without looking into this it is impossible to say. I would open one Issue over at Github for that - including all details that are needed to rebuild that problem.

v_2nas · March 6, 2018, 1:11am

I looked at the graylog-server.log and when i do the test i see the following in the logs

2018-03-06T01:10:28.756Z WARN [DefaultAttribute] ERR_04486_VALUE_ALREADY_EXISTS The value ‘20160308073112.0Z’ already exists in the attribute (dSCorePropagationData)

Any idea what does this mean.

jochen · March 6, 2018, 10:44am

Please post the complete logs of your Graylog node.

v_2nas · March 7, 2018, 2:58am

Hi Jochen,
i had difficult time uploading and pasting the entire server.log. I have uploaded it on one drive.
https://1drv.ms/u/s!AqZsgv1KWdWPgfJwqmLELZoBEYoBlQ

The username and password are correct though gray log complains of it being invalid.

jochen · March 7, 2018, 7:58am

It’s not Graylog which is complaining. It’s your LDAP server. Graylog merely passes along the message.

2018-03-07T02:43:56.209Z ERROR [LdapUserAuthenticator] Error during LDAP user account sync. Cannot log in user testuser@domain.com
java.lang.RuntimeException: MessageType : BIND_RESPONSE
Message ID : 6
    BindResponse
        Ldap Result
            Result code : (INVALID_CREDENTIALS) invalidCredentials
            Matched Dn : ''
            Diagnostic message : '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'

v_2nas · March 7, 2018, 10:42am

I have also asked few my colleagues to test with their AD account and they are also getting the same issue. I am wondering if it’s a false positive.

jochen · March 7, 2018, 11:14am

You can try using the bind credentials and the user credentials with a different LDAP client (e. g. LDAP Admin or ldapsearch which is part of OpenLDAP) and check the responses of the LDAP server.

As for the false positive, Graylog can only relay the information the LDAP server responded with.

v_2nas · March 7, 2018, 12:04pm

I tried connecting with LDAP Admin and performed test connection, and it worked fine, no errors.

system · March 21, 2018, 12:04pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to configure External Authentication on GrayLog- LDAP/Active Directory and SSO Authentication Graylog Central (peer support)	6	15265	November 28, 2019
AD/LDAP Authentication with groups, users not found Graylog Central (peer support)	7	6633	January 31, 2020
Unknown attribute issue LDAP integration with Active Directory Graylog Central (peer support)	5	2961	May 10, 2017
Active Directory Authentication Crash Graylog Central (peer support)	5	627	November 6, 2020
LDAPConnector trying to connect to LDAP Server null Graylog Central (peer support)	2	601	October 17, 2019

Binding with empty principal is forbidden

Related topics