Getting this error setting AD integration,
It looks user was found in AD but authentication fails.
Let me know if you guys need more info about my AD.
please any help will be appreciated.
jc
There is the server’s response. And also you can check your AD’s log for more information.
But you don’t share your LDAP settings in graylog, so how can we help more?
thank you for you for answering back, please let me know if this is what you asking for:
Search Base DN : cn=users,dc=lan,dc=leiszler,dc=org
User Search Pattern: (|(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberOf=CN=Graylog,DC=lan,DC=leiszler,DC=org)))
Display Name attribute: displayName
Group Search Base DN:dc=lan,dc=leiszler,dc=org
Group Search Pattern: (&(objectClass=group)(cn=graylog*))
Group Name Attribute:cn
regards
jc
I’M not sure the username with $ is a good choice. Have you tried with a normal user?
what you mean “the user name with $” ?
jc
In screenshot you posted, there is a user LEISZLER$ in field samaccountname. The username with at the end could cause your problem. Try to use username without .
1 Like
That is not the user name I passed via web interface login test, the user name I input there was : jricardo not LEISZLER$ , I think that is a issue or I’m doing something wrong in the configuration ( probably this is the case)
Are you sure this field contains your username?
how I can check that? I’m passing that user via web interface. Its a way to check the user I input on web is the one AD is getting?
jc
You can contact with your AD administrator, or check in the AD by yourself.
-
Try to change your Search Base DN to:
DC=lan,DC=leizler,DC=org. Because you try to search users with group membership, which is in higher ldap tree level, which couldn’t work. -
Check if you use right group path for LDAP. Graylog is normal group right into domain, or is it in normal Users OU? Normal groups are situated in OU Users, so in this situation, correct path will be:
memberOf=CN=Graylog,CN=Users,DC=lan,DC=leiszler,DC=org -
Try to use this LDAP filter, which filter only real user accounts and not mail contacts:
(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberOf=CN=Graylog,DC=lan,DC=leiszler,DC=org))) -
Try to use username with format: username@leizler.org
Thanks I will try your advice !
jc
weird , when I tried on Web interface use user@domain on Login Test this is what happens
Same if using lan\user
using the username only the error clears.( see below)
So GL have not issues finding the AD User, I think the issue is in the authentication process, this is a new error!
MessageType : BIND_RESPONSE
Message ID : 10
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : '80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580'
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.