1. Describe your incident:
I’m testing out Enterprise in order to use LDAP groups.
I have user sync working correctly and am able to log in with the correct credentials. However, that user gets the default role applied despite being a member of groups with other roles applied to the group.
I’m connecting to an OpenLDAP
Config as seen from the LDAP service overview page:
User Synchronization
Search Base DN: ou=People,dc=example,dc=net
Search Pattern: (&(uid={0})(objectClass=inetOrgPerson)) ## (have also tested just (uid={0}) which works for login but not change for issue)
Name Attribute: uid
Full Name Attribute: displayName
ID Attribute: uidNumber
Default Roles: Reader
Group Synchronization
Group Search Base DN: ou=Group,dc=example,dc=net
Group Search Pattern: (&(objectClass=posixGroup)(cn=somegroups*))
Team Name Attribute: cn
Team Id Attribute: gidNumber
Team Default Roles: -
Selection Type: Include selected groups
Selected Groups: 4 group(s)
The four groups in the edit screen when I click on “reload matching groups” shows usernames under the members column, but when I save the service and trigger synchronization, it never shows any users for synchronized teams, and when I log in with a user in one of the groups, the user is allowed in but only receives the default role regardless of group membership.
2. Describe your environment:
-
OS Information:
Ubuntu 20.04.5 LTS fresh install -
Package Version:
Graylog 4.3 open that has a trial enterprise license installed.
3. What steps have you already taken to try and solve the problem?
I’ve tried several different Group Search Patterns:
(objectClass=posixGroup)
(&(objectClass=posixGroup)(cn=somegroup*))
(&(objectClass=posixGroup)(cn=somegroup*)(memberUid={0}))
4. How can the community help?
I assume the issue is around the search pattern, I just can’t find the right combination. Or possibly the issue is that the user in ldap doesn’t list anything like memberOf, users are listed as memberUid of the groups.
Thanks!