LDAP exclude user with specific titles from Graylog


(Zero) #1

Hello,
I’m trying to config my Graylog’s LDAP settings in such way that user with specific titles, let’s say, “testers”, will not be allowed to login into Graylog trough LDAP.

From my understanding I have to specify a filter in User Search Pattern?

I tried something like this : (&(objectClass=user)(sAMAccountName={0})(!title=testers))
but sadly it didn’t work. With that setting in Pattern LDAP is not working at all. Could you help?


#2

Hi

Based on yout ldap server, it could be different.
First try it without the title extension. Are you sure the sAMAccountName contains your username.

Based on my little resource, you shoud use ! before (.
(!title=testers) -> (!(title=testers))

You can also try ldapquery to be sure you get back user to your query and exclude any other graylog settings.

// We use a group to control the list of the users who can login to GL
(&(objectClass=user)(cn={0})(memberof=CN=Graylog-Logon,OU=Groups,DC=DOMAIN,DC=internal))


(Zero) #3

That’s the one that works right now :slight_smile:

(&(objectClass=user)(sAMAccountName={0})(!(|(title=testers*))))

This case is solved but right now I’m trying to expand it to also exclude people without any title - field title is empty for them.

I tried doing it like that:

(&(objectClass=user)(sAMAccountName={0})(!(|(title=testers*))(title=*)))

Sadly it does not work.


#4

of course

Check it again.
Syntax error in your query.
Check this part : (!(|(title=testers*))(title=*))
No logical condition between the two title


(Zero) #5

You mean something like this?

(!(|(title=testers*))(|(title=*))))

It does not work too :confused:

Also it looks like even if I try only excluding empty titles it doesn’t filter people too:

(&(objectClass=user)(sAMAccountName={0})(!(|(title=*)))) - does not work


#6

no, it is you original query part.
check the parenthesis
syntax error.
| means OR, but you don’t use any other condition.
(&(objectClass=user)(sAMAccountName={0})(!(title=*)))
OR
(&(objectClass=user)(sAMAccountName={0})(!(title=testers))(title=*))


(Zero) #7

Well the original query works like a charm, it excludes users with title “testers”.

(&(objectClass=user)(sAMAccountName={0})(!(title=*))) - does not

(&(objectClass=user)(sAMAccountName={0})(!(title=testers))(title=*)) - also doesn’t work :confused:

No one is able to log in while above are used


#8

I can’t tell more. Play.


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.