Graylog Open: Active Directory Group Membership

1. Describe your incident:
I am attempting to set up Active Directory authentication. I can successfully authenticate users in the domain with this base DN and search pattern:
dc=mydomain;dc=local → (&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0})))

image1736×750 111 KB

The goal is to create a security group within AD (“Graylog Admins”), assign users to this group, and only allow users of the group to log into Graylog. Thus, I have the search pattern:
(&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0}))(memberOf=CN=Graylog Admins,OU=Service Users,DC=mydomain,DC=LOCAL))

I have tried this - and every other query that I can think of - to make this work, but I always end up with “User does not exist.” What is the proper way to allow only members of a certain group, login access to Graylog Open?

2. Describe your environment:

• OS Information: Almalinux 8.6, Linux 4.18.0-372.26.1.el8_6.x86_64

• Package Version: Graylog 4.2.12+2c655fb

You want to work under Group Synchronization. Set your Group Search Base DN to be the OU where the AD group is you are working with: (Assumes the graylog_admins group is in the OU BAT_ROLES

OU=BAT_ROLES,OU=BAT_ROOM,DC=BATCAVE, DC=LOCAL

Set your Group Search Pattern:

(&(objectClass=group)(cn=graylog_admins))

The rest is up to you but that should get you most of the way there!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.