LDAP authentication fine configuration question

bubba198 · July 6, 2017, 4:27pm

Hi guys,

I have been using LDAP integrated authentication for some time, with group mapping and the setup works like a charm. The roles are mapped nicely and I am happy.

However I would like to prohibit most users from authenticating into Graylog at all. In other words I don’t want most LDAP users to be able to login to the GUI period.

How can that be accomplished? At present the “mortals” only get a minimal default role but they can still login to the GUI? How can I use group membership to completely block an LDAP login, not just use group membership for mapping onto roles?

Any advice would be appreciated!

Thank you

derPhlipsi · July 7, 2017, 9:32am

Hey @bubba198,

you can use a memberof restriction inside your User Search Pattern

Here is one example, that we are using:

(&(objectClass=user)(sAMAccountName={0})(memberof=cn=LDAPGroupName,ou=Groups,ou=Ressourcen,dc=region,dc=company,dc=example,dc=de))

As a breakdown:

(& … ) – Chains all containing bracket groups like (objectClass=user) and (sAMAccountName={0})
(memberof=cn=LDAPGroupName,ou=… – Memberof condition that the userObject has to fullfill. Adapt your ou and dc parameters accordingly to your structure.

Greetings - Phil

bubba198 · July 7, 2017, 2:06pm

@derPhlipsi that’s excellent idea. Thank you! Testing now…

system · July 21, 2017, 2:07pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
LDAP Configuration Help! :( Graylog Central (peer support)	4	753	July 5, 2019
AD/LDAP Authentication with groups, users not found Graylog Central (peer support)	7	6385	January 31, 2020
Block LDAP Users Graylog Central (peer support)	9	1536	March 6, 2021
LDAP Query Group Graylog Central (peer support)	2	4169	February 28, 2017
Lock down user search pattern - LDAP query Graylog Central (peer support)	2	2828	April 4, 2017

LDAP authentication fine configuration question

Related topics