LDAP authentication with multiple OUs and default roles

I am running Graylog 4.0.6 with the SME enterprise plugins and wanted to integrate the LDAP/AD authentication based on the OUs I have defined there. The setup is like this:

OUBase [All users]

  • OU1 [Users that shoud have admin role]
  • OU2 [Users that should have reader role only]
  • OU3 [Users that must not have any access to Graylog at all]

Since I can only have one authenticaion service active, what is the suggested setup to integrate OUs 1 and 2 but not 3 including their appropriate roles?

If there would be the possiblility to have multiple authentication services active in parallel, means tied to OU1 and OU2, this would do the trick. But that seems not to be possible.

On the other hand, if I include the authentication service tied to the OUBase this enables OU3 to authenticate as well.

With the SME enterprise plugins I can use groups definitions and override the roles (why does this not get shown on the users overview btw?). However, can I also exclude users from logging in?

Thanks for any thoughts on this and best regards,


LDAP filters to LDAP/AD must query members of groups (CN) rather than members of organization units (OU). So you need to create groups and point users to this groups. Then you can use filter like:

(&(objectClass=user)(sAMAccountName={0})(|(memberof=CN=GraylogAdmins,CN=Users,DC=company,DC=local)                 (memberof=CN=GraylogReaders,CN=Users,DC=company,DC=local)))

This query assumes, that groups are in Users container.

Thanks shoothub, this works nicely!