I set up LDAP configuration to our domain controller.
log in wise everything is working fine.
when deleting an LDAP user from the Graylog GUI and the Active Directory group, the user is still able to login.
For example, i did the following:
username: JamesD
Active Directory Group: Graylog_LDAP
i added JamesD to the AD group.
JamesD was able to login successfully.
Than, i deleted JamesD both from the AD group and the graylog GUI:
try to login with JamesD again - the user was able to login successfully and entity for the user created in the graylog gui.
that is a wrong behavior!
after deleting the user from the AD group, the shouldn’t be able to login again.
That something to do with LDAP cache?
would love your help.
At LDAP settings you can check what GL sees from LDAP. Check it. (eg. the user’s groups)
Maybe your LDAP settings or your AD has a problem (eg. AD domain sync)
On the other hand, as @macko003 suggests it could be down to your filtering. Any user found through the LDAP connection can always login. If the AD group you mentioned is tied to a specific role, then users will only get that role if they are in the group. If they are not in the group, then can still login as normal user.
Unless…
Unless, as Macko pointed out, you adjust your input filter for the AD-connection. You can set Graylog up in such a way that it will only find users in a specific OU, or users that are member of a specific group. Then, only those users can login.
For example:
User Tom, group “finance”
User Ted, group “it”
User Lisa, groups “it” and “graylogadmin”
If you configure Graylog in such a way that:
It can only fetch users who are member of group “it” and so
The group “graylogadmin” is tied to Admin privileges.
Then only Lisa and Ted can login. And only Lisa can admin.
