Graylog LDAP setting not saving

(Zero) #1

Hello, I have a cluster of 3 Graylogs, I’m setting up LDAP on one of them and everything is working fine but those setting are not propagating to other 2 Graylogs neither I can configure LDAP on them manually because LDAP setting are not saving on those 2 Graylogs.

I tried dropping ldap_settings collection from mongodb, it did reset LDAP setting on that 1 Graylog that was configured but sadly it didn’t help much - after configuring LDAP on 1 Graylog this problem still occurs - I’m still unable to configure LDAP on the other 2 Graylogs.

Also I tried dropping ldap_setting collection and then restarting whole Graylog cluster before setting LDAP again - it didn’t help too.

What I didn’t do is restarting MongoDB after dropping ldap_settings but that would be the “last stand” thing for me to do. Could you guys help ?

(Philipp Ruland) #2

Heyo @Zerobot,

what Graylog version are you running on?

On which Graylog node are you setting the LDAP settings? The master?

Have you tried if the LDAP auth works on all nodes after setting them on the master? If you can use LDAP auth on all three nodes (when addressing them via their URL individually) but the LDAP settings are only shown on one node, I would guess that this is a simple visual glitch :slight_smile:
Can you check this and report about it? :slight_smile:


(Zero) #3

My Graylog version is : Graylog v2.4.6+ceaa7e4

Yeah I was setting it up on Master Node. Right now, after dropping ldap_setting and restarting graylog cluster my LDAP setting are not saving at all, not even on 1 node. Sadly LDAP does not work on any node right now and before that it only worked on 1 node (the one which had LDAP settings saved). Funniest part is LDAP works perfectly on my test infrastructure (it’s a mirror of our prod infrastructure so 3 graylogs too). Sad part is: Prod is the one where LDAP does not work and I didn’t set up Prod myself but it looks okay, MongoDB has a replica set, it works fine with everything else, only LDAP does not :confused:

(Jan Doberstein) #4

@Zerobot, to be honest, that sounds like something is completely wrong setup.

When adding new nodes to a Graylog installation and just copy the configuration files from the first instance, change is_master to false and start the new instance. No need to configure anything on each node in a setup - that is what the mongoDB is used for - sharing the configuration.

You should recheck the setup.

(Zero) #5

I’ve checked my config multiple times and the same configuration is working on my test infrastructure.

It looks like mongoDB is actually saving ldap_settings on all 3 mongo’s in my graylogRS cluster but only the graylogNode on which I setup those settings (graylog master btw) is able to save LDAP setting and they are working only on this graylog master node. So basically: mongoDB cluster is working but somehow my other 2 graylog nodes are not reading ldap_setting from it. And this isse is only connected to LDAP Settings, every other setting works just fine on all graylog nodes, no matter where I set something like new dashboard or extractor it propagates to all 3 graylog nodes like it should :confused:

(Jan Doberstein) #6

I’m sad that you have these problems running Graylog in a proper way. But it sounds that your MongoDB setup is broken or some other settings from your Replicaset are not as it should - or that your MongoDB connection string from the Graylog configuration is not what it should be.

Without looking at your configurations and maybe debug your setup it is not possible to help you with the :crystal_ball:

(Zero) #7

This is a really strange issue. I’ve changed the mongoDB primary from 0 => 2, problem still occurs. Mongo is saving everything, ldap_settings are saved in all 3 nodes after configuring them in graylog. Config is fine, checked it 10x times. If there was any problem with mongoDB connection string other Graylog-cluster settings like: users, permission, new dashboards etc. wouldn’t propagate into whole Graylog cluster but they actually do. This issue is connected to setting LDAP in Graylog only.

Edit: Yeah well … Looks like everything except LDAP will work just fine even if Graylog’s have different password_secret but, as you said before, Graylog configs should be exactly the same, only IP adresses/FQDN of the graylog node + is_master should be set independently.

Looks like I’m blind and person which set our PROD infrastructure set different password_secret for every Graylog node which made LDAP unable to work. It is strange that eveything else was working but maybe I have too little understanding of Graylog right now.

Anyways, use graylog and db.ldap_settings.drop() in mongo primary and setting same password_secret on all Graylog nodes’s server.conf solved my problem, LDAP setting is now saving and propagating into all nodes.

(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.