Binding with empty principal is forbidden

Hi folks,

I am configuring Active Directory Authentication with graylog.
Connection to the domain controller is working.
All parameter seems to be correct
LDAP group mapping shows the group GrayLogRO set to Reader.
When i use the account to test. It says the user is found but I get an error on login attempt.


Any idea what i might be doing wrong. I am on latest version of graylog.

Is that a group inside a group?

That is currently not working, see for reference:

Hi Jan,

It’s not a nested group but group is at few ou level down, would that be a cause?

maybe - I did not know.

It might be a bug, but without looking into this it is impossible to say. I would open one Issue over at Github for that - including all details that are needed to rebuild that problem.

I looked at the graylog-server.log and when i do the test i see the following in the logs

2018-03-06T01:10:28.756Z WARN [DefaultAttribute] ERR_04486_VALUE_ALREADY_EXISTS The value ‘20160308073112.0Z’ already exists in the attribute (dSCorePropagationData)

Any idea what does this mean.

Please post the complete logs of your Graylog node.

Hi Jochen,
i had difficult time uploading and pasting the entire server.log. I have uploaded it on one drive.!AqZsgv1KWdWPgfJwqmLELZoBEYoBlQ

The username and password are correct though gray log complains of it being invalid.

It’s not Graylog which is complaining. It’s your LDAP server. Graylog merely passes along the message.

2018-03-07T02:43:56.209Z ERROR [LdapUserAuthenticator] Error during LDAP user account sync. Cannot log in user
java.lang.RuntimeException: MessageType : BIND_RESPONSE
Message ID : 6
        Ldap Result
            Result code : (INVALID_CREDENTIALS) invalidCredentials
            Matched Dn : ''
            Diagnostic message : '80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580'

I have also asked few my colleagues to test with their AD account and they are also getting the same issue. I am wondering if it’s a false positive.

You can try using the bind credentials and the user credentials with a different LDAP client (e. g. LDAP Admin or ldapsearch which is part of OpenLDAP) and check the responses of the LDAP server.

As for the false positive, Graylog can only relay the information the LDAP server responded with.

I tried connecting with LDAP Admin and performed test connection, and it worked fine, no errors.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.