Hi,
We use ‘admin’ as root_username in server.conf and our Security says
they see errors in LDAP logs as if Graylog tries to perform lookups using that user.
Is there a way to prevent Graylog from doing LDAP authentications with the admin user
or is it best to switch username to something else ?
Maybe the best if you use an LDAP user with admin rights.
Unfortunately I have never understood why users use admin/root users. It’s for emergency use. Use every user own user.
Thanks for your reply.
Everyone is able to login on our Graylog cluster using their AD user authenticated against our LDAP server. These are regular users, no admin/root users except us syadmins who have the admin role.
This regards the, i presume, internal root graylog user (which is called admin).
Does Graylog use that user to perform LDAP queries ?
I have same error message in my graylog log, it’s probably a bug. LDAP works, but error is annoying. I tested graylog 3.1 and 3.2.3
rename the root_username to something that is not part of your LDAP. Like “graylog_admin_user” and use this only when LDAP is not working with your unique user like @macko003 already wrote .
@shoothub rename the default admin and in Graylog to something that is not in LDAP and it will work.
Thanks Jan.
Is Graylog using this user when trying to do LDAP authentification ?
Can you post the (generic) LDAP error your security group sees?
@tmacgbay I’ll ask them
@jan
How the GL try to auth? First check the local DB, then the LDAP, or LDAP, next local?
you can actually configure the order and default is to ask the build in admin user as latest. Means when Graylog itself is polling itself this will create a request to LDAP and if the very same username is given a “wrong password” message and it will then be successful on the last provider which is the build in password.
That is the reason that the build in user can be renamed to work around this situation. Rename that user and all is fine.
Here’s an example :
03/18/2020 05:34:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=
TaskCategory=Logon
OpCode=Info
RecordNumber=6617470752
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: STODC01$
Account Domain:
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x264
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: STODC01
Source Network Address: 172.26.100.28
Source Port: 42244
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
I have changed the order for the authentification providers. If that doesn’t help, i’ll rename the user
Great!
Thanks for the information.
This was solved by remaning the Graylog admin user
root_username = graylog_admin_user
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
