Graylog 4.0 | LDAP Group changes

I’ve recently installed Graylog 4.0 in order to check some features :slight_smile:
It seems mapping LDAP Group is no longer possible without upgrading to Enterprise?
It’s unfortunate because in my prod instance of Graylog 3.x we have developed a whole automated system of mapping Graylog Roles to AD Groups :confused: Graylog 4.0 makes our system obsolete, it actually makes it impossible for us to control anything related to permission on an AD level which is a requirement in my org.

Correct me if I’m wrong but at this moment Graylog 4.0 in terms of permissions is literally no different than ELK with Basic (free) license? I mean - you can log-in using AD but that would be the only difference. No permissions mapped via LDAP without getting a license it seems.


Please upvote the request to keep AD group mapping in GL4 in Github :


I also just stumbled across this after doing a test upgrade in the lab to 4.0.0, no more LDAP group mappings… Literally one of the reasons we went with Graylog was its authentication options on the free tier… now… well… A big step backward imo making this a paid for “feature”. Disappointing.

1 Like

Hi! Permissions management of who has access to what entities like dashboards and alert rules has been simplified and pushed out to the creator/owner of those entities. This means Group Mapping no longer makes sense because access is not managed through roles anymore. AD/LDAP integration is still available in open source for authentication, but for management of large teams or across multiple teams with lots of different job functions, Enterprise will make things a lot easier.


You should accept the fact, that many people are not happy with the new permissions model.

Assigning alert rules, dashboards to existing roles would be to easy, I guess? I would assume, that this would be sufficient for most of the users.

At this point, you are disappointing lots of Graylog users and making a big step backwards in maturity of the permission model.

I will stay with 3.3 as long as possible…


Is the new Teams feature intended to remain Enterprise-only, or will it find its way into the Community build at some point like the new Views/Dashboards did?

Until GL 3.3 the AD admin (or a L1/L2 with dedicated rights) could manage the graylog rights thru the LDAP mappings.
Now after the L1/L2 creates the new LDAP users and you should set the right manually as GL admin. (I think the GL rights model not enough good to set good the minimum rights for an L1/L2; eg you can’t give assign existing output rights for user on the streams, etc)

Our GL project just stopped because of that… :frowning:
If the goal is to trigger some sales I think it will just make people look for other tools.
We considered to buy entreprise licence, but the price scheme is only focus on business scale (we are public sector).
Or maybe you could consider different level of GL entreprise licence.
Pay per plugin or something else…
Pretty frustrated and sad right now. :sleepy:

Today I’ve done test migration to GL 4. It was very frustrating to see that feature that was essential for our company was removed from community version… Many years our users was confident with roles and permissions processes in GL. Now I got a big piece of infrastructure and automation tasks that I was creates year by year - just turns to ash…
What does it means for our company - I think we will stay on 3x. Too sad.

1 Like

same here. this is an essential feature for our company - with this change there will be no chance to upgrade to Graylog 4.x

We are also deeply disappointed in this decision to essentially gut the open source version of any meaningful authorisation/permissions system, rendering it un-usable in anything other than POC or small scale deployment.

There are many deployments, some of significant size that require external authorisation support yet simply do not need an enterprise subscription to enable this single feature, nor can they justify its cost for just that single feature.

If Graylog need further example of this, have a look at the backtracking for authentication/authorisation arguement within Elasticsearch open source, it got forked by amazon for not having authentication/authorisation support amongst other issues, what do you think will happen with the graylog community?
We’ll either fork it, or write a module for it, or move to another project, none of which options benefits you as a commercial entity.


I do feel it is ridiculous. There are no significant new features in Graylog4. The only reason I’d even consider it is ES7+ support, which should in theory allow cross-cluster queries. But Graylog somehow does not allow for those, which still can be okay, but eliminates any advantage of going v4 vs v3.

But considering this change + no new significant features it does feel to me that Graylog as a company is looking to direct free OSS version users to pay up. And it is their right to do so. Pretty sure some other service will come along to replace Graylog.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.