LDAP Auth, groups aren't showing

I have LDAP Auth setup for both User and Group mapping.

Test brings back the groups they are a member of correctly, however when I go to group mapping I get nothing.

Setup as below:

Search Base DN: cn=users,cn=accounts,dc=example,dc=co,dc=uk
User Search Pattern: (&(objectClass=inetOrgPerson)(uid={0}))
Display Name Attribute: cn

Group Search Base DN: cn=groups,cn=accounts,dc=example,dc=co,d c=uk
Group Search Pattern: (objectClass=groupOfNames)
Group Name Attribute: description
Default User Role: Reader

See Auth Test Below:

    User found 
    Login attempt 
    User's LDAP attributes
    telephonenumber
    07768567567
    mail
    adam@example.com
    ipauniqueid
    95876a32-b11f-11e7-8b52-005056a956c2
    krblastpwdchange
    20180216233849Z
    objectclass
    top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipauser
    loginshell
    /bin/sh
    krbloginfailedcount
    0
    uid
    adam
    homedirectory
    /home/adam
    krbpasswordexpiration
    20180216233849Z
    givenname
    Adam
    mepmanagedentry
    cn=adam,cn=groups,cn=accounts,dc=example,dc=co,dc=uk
    krblastfailedauth
    20180216233923Z
    sn
    Birds
    krbextradata
    �k�Zroot/admin@EXAMPLE.CO.UK
    initials
    AB
    krbcanonicalname
    adam@example.CO.UK
    gidnumber
    1361400003
    krbprincipalname
    adam.birds@example.CO.UK
    mobile
    07786756789
    cn
    Adam
    gecos
    Adam
    uidnumber
    1361400003
    displayname
    Adam
    memberof
    cn=ipausers,cn=groups,cn=accounts,dc=example,dc=co,dc=uk, cn=exampletechnology.graylogadmins,cn=groups,cn=accounts,dc=example,dc=co,dc=uk
    User's LDAP groups
    Example Technology - Graylog Admins
    Default group for all users

Yet all I see on the group mapping page is:

Any ideas anyone? Thanks

Group descriptions are not empty?
Try to change Group Search Pattern: (objectClass=group)

1 Like

The Description is where my groups Display Name is. I’m using freeipa, not AD.
Even with Group Search Pattern set to (objectClass=group), none show in the mapping section though it picks up which groups my test user is a member of.

nested groups are currently not supported.

How do I make the groups not nested then. I just use freeipa as my LDAP server. Is this something that is in the pipeline?

currently we have the following github issue on that:

https://github.com/Graylog2/graylog2-server/issues/1436

We would welcome any PR that add this to the LDAP Modul. As you can see those issues did not have any specific version assigned.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.