Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
cannot add active directory users through user synchronization in authentication services
2. Describe your environment:
OS Information:
ubuntu 22.04
Package Version:
graylog 5
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
1–ldap configured on port 636 and test server connection OK
2–user synchronization configured and user login test OK:
search pattern: (&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0})))
name attribute:
userPrincipalName
3–active directory activated.
4-- says No synchronized users have been found in View active service page
4. How can the community help?
am i missing somthing in configuration steps ?
thanks for the help !
@ershad-ra thanks for the post. Stay tuned for responses from your peer practitioners in the community. They typically help fellow members resolve issues quickly.
I have a suggestion in the form of a checklist that might help you determine if you’re missing any steps.
Please let me know if it’s helpful.
Based on the information you provided, it sounds to me like the issue may be related to the user synchronization configuration.
Checklist
Verify that the user synchronization configuration is set up correctly. Double-check the search pattern and name attribute to make sure they match the configuration of your Active Directory server.
Check the logs in Graylog to see if there are any error messages or warnings related to user synchronization. I’d look for any messages that indicate a problem with connecting to the Active Directory server, or with retrieving user information.
Check the Active Directory server logs to see if there are any error messages or warnings that could be related to the issue.
Make sure that the user account being used for user synchronization has the appropriate permissions in Active Directory. The account should have read access to the user objects in Active Directory.
Have you made any recent changes to the Active Directory server, such as adding or removing groups? Try synchronizing the users again to see if you see the changes in Graylog.
Before answering - think of obfuscating your information… but keep it consistent between answers so we can be clear about what is going on.
What is your search Base DN? You can limit where you are searching for users with that. i.e. OU=users,OU=companyName,DC=domainName,DC=domainType
Consider examining and refining your search pattern to make sure its correct for your environment: (&(objectClass=user)(sAMAccountName={0})(objectCategory=person)(memberOf=CN=graylog-people,OU=groups,OU=Employees,DC=domainName,DC=domainType))
In this case we would be going off sAMAccountName so that would be your Name Attribute
In my current setup using Graylog open, I am unable to use group synchronization. However, I have found that the default search pattern in Graylog is effective for my active directory environment. I have confirmed this by successfully testing user login. The search base DN is an OU: (OU=mySI,OU=myOU,DC=my,DC=domain,DC=local). If I test a non-existent user from that OU, Graylog reports that the user does not exist, Means that it’s functioning properly?
the command i use for checking the logs is : tail -n 10 /var/log/graylog-server/server.log
but there is no information about ad auth test.
That seems right to me. so you can’t restrict to groups but you can restrict to an OU…
I had one of the free licenses, that is why my setup worked for group membership - It’s frozen in time now since I can’t keep under the 2GB limit of the free license.