Graylog doesn't map AD Goups

I have Graylog 2.3.2 successfully authenticating users against an AD Server. But I can’t map groups. I know this topic appeared before, but haven’t found any successful solution.

ServerType: AD
Server Address: ldap://srvdc01:389

BaseDn: ou=Usuarios,DC=company,dc=net
Search Pattern: (saMAccount={0})
Dispaly Name Attribute: DisplayName

GROUP Mapping
GroupSearch Base DN: ou=Seguridad,ou=Grupos,DC=company,dc=net
Group Search Pattern (&(objectClass=group)|((cn=AppsDESA)(cn=GRO)))
Groupname Attribute: cn

I´ve tested with a simpler Search pattern, just objectClass=group. Without success

Are you 100% sure, that groups are located in right OU?
Because by default AD groups are located under cn=user,dc=company,dc=com

Another issue I see, that you use bad group search pattern, your pattern should be:
(&(objectClass=group)(|(cn=Apps DESA)(cn=GRO)))

You should always check if your ldap filter is right. Easiest way is to open mmc console Active Directory Users and Computers - Saved Searches - New query. In your case, try to simulate your query, filling up field like this: Query root: browse OU Seguridad under OU Grupos. After that click Define Query… in find selectbox choose Custom search and in tab Advanced insert your query. Click OK. And then try to find your groups - click Refresh if you change something in query. That way you can try if your query is OK.
The last step will be to insert query in graylog.

Check also this great articles:

1 Like


first check what @shoothub wrote and in addition you might want to move away from this ancient version. I do not know how well that ldap group mapping worked in that version …

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.