Ldap groups sync but not finding users

1. Describe your incident:

I’m testing out Enterprise in order to use LDAP groups.

I have user sync working correctly and am able to log in with the correct credentials. However, that user gets the default role applied despite being a member of groups with other roles applied to the group.

I’m connecting to an OpenLDAP

Config as seen from the LDAP service overview page:

User Synchronization

Search Base DN: ou=People,dc=example,dc=net
Search Pattern: (&(uid={0})(objectClass=inetOrgPerson)) ## (have also tested just (uid={0}) which works for login but not change for issue)
Name Attribute: uid
Full Name Attribute: displayName
ID Attribute: uidNumber
Default Roles: Reader

Group Synchronization

Group Search Base DN: ou=Group,dc=example,dc=net
Group Search Pattern: (&(objectClass=posixGroup)(cn=somegroups*))
Team Name Attribute: cn
Team Id Attribute: gidNumber
Team Default Roles: -
Selection Type: Include selected groups
Selected Groups: 4 group(s)

The four groups in the edit screen when I click on “reload matching groups” shows usernames under the members column, but when I save the service and trigger synchronization, it never shows any users for synchronized teams, and when I log in with a user in one of the groups, the user is allowed in but only receives the default role regardless of group membership.

2. Describe your environment:

  • OS Information:
    Ubuntu 20.04.5 LTS fresh install

  • Package Version:
    Graylog 4.3 open that has a trial enterprise license installed.

3. What steps have you already taken to try and solve the problem?
I’ve tried several different Group Search Patterns:
(objectClass=posixGroup)
(&(objectClass=posixGroup)(cn=somegroup*))
(&(objectClass=posixGroup)(cn=somegroup*)(memberUid={0}))

4. How can the community help?

I assume the issue is around the search pattern, I just can’t find the right combination. Or possibly the issue is that the user in ldap doesn’t list anything like memberOf, users are listed as memberUid of the groups.

Thanks!

Hello && Welcome @brantley.whitesky

I think you maybe right on search pattern. Have you check the logs files for any clues?

The only place I’m seeing anything logged is /var/log/graylog-server/server.log

The only entries are:
2022-10-26T16:58:50.680-05:00 INFO [TeamSyncService] Trigger sync for LDAP/xxxxxx
2022-10-26T16:59:30.106-05:00 INFO [TeamSyncService] Trigger sync for LDAP/xxxxxx
2022-10-26T17:00:13.858-05:00 INFO [TeamSyncService] Trigger sync for LDAP/xxxxxx

other than a few times where I’ve changed the Team ID attribute and forgot to delete the existing sync’d groups and get:
2022-10-26T17:00:13.873-05:00 ERROR [AbstractTeamSyncBackend] Couldn’t sync teams
com.mongodb.DuplicateKeyException: Write failed with error code 11000 and error message 'E11000 duplicate key error collection: graylog.teams index: name_1_auth_service_id_1 dup key:

It is just odd that it syncs groups/teams successfully but never shows users for them after they sync…

(ignore the zabbix* part, just picking on those groups for testing this POC)

hey,

What you blurred out, are those the users for that group? or you referring to under “Users Overview” section you cant see them?

EDIT nvm I see now

Yeah, sorry for the weird way I had to take the screenshot. Left side is what it shows as synced teams in the overview, right is when I search for groups in the ldap config/group sync section.

I’ve also tried deleting my user ‘bpadgett’, syncing the groups, then logging in as the user but no joy.

Thanks for taking a look at this.

Hey @brantley.whitesky

I just tested this out, What I noticed is you can set the Default Team Roles of the users during the setup but you cant set the use to the Team/Group that was sync’d.

I had to manually set the user that was synced into the team I wanted.

I don’t know exactly what going on but maybe ask that question on GitHub, the dev maybe to help understand that better, unless someone else here knows what’s going on

Will try there, thanks!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.