Graylog API help

Hello There,

I want to know how I can add user without password & email in graylog api I am using below command which is helping me to add user in graylog but it needs password and email info to get executed.

curl -i -X POST -u $GRAYLOGUSER:$GRAYLOGPASSWORD -H ‘Content-Type: application/json’ -H ‘X-Requested-By: cli’ ‘http://graylog-core:9000/graylog/api/users’ -d ‘{“username”: “$grayrusers”,“password”: “hello”,“email”: “$grayrusers@example.com”,“full_name”: “$grayusers”,“permissions”: ["*"],“timezone”: “UTC”,“session_timeout_ms”: “28800000”,“startpage”: null,“roles”: [“Read all”]}’

Operating system information
Debian
Package versions
Graylog 3.3.10
Elasticsearch 6.8.13
Mongo 4.2.11

can you please help how I can create user with API without password and email information.

Regards,
SAM

Why do you want to create a user without password? If password and email is mandatory fields, you can’t do it without it.

2 Likes

Hello @shoothub

I want to sync ldap user with graylog for the same I am using shell script at startup of graylog,

since SSO is prompting login page so I want to bypass that login page and though of creating user by checking ldap so that graylog will be up with all the user and it wont ask any password page,

If you can suggest any option to synch all user or disable login prompt for graylog then it would be great, honestly I am not expert in graylog and not sure weather password and email fields are mandatory i want want to check if I can create user without those field in graylog api.

Please guide if you have any alternative.:slight_smile:

Regards,
SAM

Hello,

Just chiming in.

If you under 5GB day the Graylog Enterprise version is free. I think that would open up more option for you.

I think your using SSO Graylog Plugin, am I correct? Part of SSO is using a User/Password. Depending how you setup your environment. To be honest after reading your post why would you not want to secure your environment with a user/ password and not have a logon Prompt? This is a security risk. Out of curiosity, if you don’t want a username/password, email, and logon prompt why even have LDAP or SSO? What are you trying to accomplish?

Hello @gsmith

Thank you for your response, we have Graylog v4.0.6 and as we can see SSO plugin is integrated with this version where as in earlier version we need to place sso plugin jar to specific path to get this done,

current issue is I want user to access graylog with ldap credentials but it is not working since no users are present in graylog, to mitigate that I thought of having script that will refer ldap and add missing user at start, but as in graylog api I saw that we need to mention password so again it will mess everything, this is the main reason i wanted to create user in graylog via api without password,

basically I want to have preconfigured graylog which can work either with SSO or LDAP so that we can avoid manual user creation.

hope my use case is has more clarity now, please guide or suggest some workaround.

Regards,
SAM

Ummmm

Sorry I’m confused on what version you have.

The core feature of the old SSO plugin (trusted HTTP header authentication) got integrated in the server.

System User DN is for the initial connection to the LDAP server, e.g. cn=admin,dc=example,dc=com, this might be optional depending on your LDAP server. For us this user is not in our section of “User & Teams”.

The steps I would take.

  1. Make sure all users in your environment are in the LDAP server
  2. Create a service account in LDAP which would be a username/password for only connecting to the LDAP server from Graylog (i.e. srvc-graylogldap). Make sure this user created has the right permission to do so.
  3. Go to Graylog and Create Service (LDAP) using that user (i.e. srvc-graylogldap).
  4. Test the connection and if problems occur fix them.

  1. logon Graylog with any users form your environment.
  2. Should be good

I personally would make sure my LDAP connection is working properly before moving on to SSO.
What I explained above will work. If it doesn’t, come back and show us why it didn’t work and we would be more then happy to help.