We have graylog running since a year now and I did a verify of the whole system.
during that, I recognized a strange behaviour within LDAP-Users.
the first users with which we did the training had initially the “admin” role assigned, as we had no clean ldap mapping at the start.
Now I’ve configured that all new users have “reader” access and a group called “ServiceDesk” via “Additional default Roles”. The Role “ServiceDesk” has only read-permissions to Dashboard/Streams.
Additionally, I have created 4 AD-Groups and mapped them to Roles in Graylog.
All of the Roles have only READ-Access to Dashboard / Streams.
Now I have a few users, which always get the Admin-Role assigned, after the login.
I tried to delete them in the WebGUI and in the MongoDB, but after re-login, the Admin-Role is still assigned.
Do you have any hint, how I can debugg it?
I tried also to create a local user with the same username and it was immediatly overriden by the LDAP Authentication.
the Login Provider Order is:
API Tokens (disabled)
Admin user (active)