LDAP authentication fine configuration question


(bubba198) #1

Hi guys,

I have been using LDAP integrated authentication for some time, with group mapping and the setup works like a charm. The roles are mapped nicely and I am happy.

However I would like to prohibit most users from authenticating into Graylog at all. In other words I don’t want most LDAP users to be able to login to the GUI period.

How can that be accomplished? At present the “mortals” only get a minimal default role but they can still login to the GUI? How can I use group membership to completely block an LDAP login, not just use group membership for mapping onto roles?

Any advice would be appreciated!

Thank you


(Philipp Ruland) #2

Hey @bubba198,

you can use a memberof restriction inside your User Search Pattern :slight_smile:

Here is one example, that we are using:

(&(objectClass=user)(sAMAccountName={0})(memberof=cn=LDAPGroupName,ou=Groups,ou=Ressourcen,dc=region,dc=company,dc=example,dc=de))

As a breakdown:

  • (& … ) – Chains all containing bracket groups like (objectClass=user) and (sAMAccountName={0})
  • (memberof=cn=LDAPGroupName,ou=… – Memberof condition that the userObject has to fullfill. Adapt your ou and dc parameters accordingly to your structure. :slight_smile:

Greetings - Phil


(bubba198) #3

@DerPhlipsi that’s excellent idea. Thank you! Testing now…


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.