Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
Users belonging to newer OU’s are not able to login via LDAP credentials.
If I try to add/whitelist new OU’s in Search base DN, it leads to LDAP errors DSID-0310022D, DSID -03100225
Also many users of the currently added OU are not synchronized, i.e the OU has more than the number of users that are being discovered on Graylog
2. Describe your environment:
OS Information: Private Build 1.8.0_282 on Linux 5.4.0-1041-aws
Package Version: Graylog 4.0.5+d95b909
Service logs, configurations, and environment variables:
Search base DN : OU=ABC,OU=XYZ,DC=ABCCORP,DC=com (values for representation purposes)
Search pattern: (&(mail=*)(sAMAccountName={0}))
name Attribute: cn
Full Name Attribute: displayName
ID Attribute: sn
3. What steps have you already taken to try and solve the problem?
Tried to add OU’s in the Authentication → User Synchronization and Test user Login (fails, if new OU is added)
If OU settings are changed Graylog login stops working, and Admin login, reverting authentication settings to previous values fixes it.
4. How can the community help?
Please suggest the configuration, LDAP settings which would help with the AD Sync.
Perhaps try some simple like this under User Synchronization.
Search Base DN: CN=Users,DC=domain,DC=net
Search Pattern: (&(objectClass=user)(sAMAccountName={0}))
Name Attribute: sAMAccountName
Full Name Attribute: displayName
Lets say is your users are in a OU called mail then something like this.
Search Base DN: CN=mail,DC=domain,DC=net
Search Pattern: (&(objectClass=user)(sAMAccountName={0}))
Name Attribute: sAMAccountName
Full Name Attribute: displayName
This would depend on how you setup your AD and your other configurations that are not shown in this post.
I would advice checking permissions for the user your using in System User DN also.
This would require at lest a read role in Active directory for that user.
Perhaps check out this post. It might give you some clues
When posting please take a look here this may help out.
Working with someone’s AD is kind of touchy, meaning there is sensitive data. What I found was how you structure your Active Directory then configure your Attribute mapping for user accounts and Attribute mapping for groups. This would be applied to your Search Base DN.
To find the correct configurations needed I would do the following.
Open a Windows command prompt.
Type the command:
dsquery user -name <known username>
Example: If you are searching for all users named "John", you can enter the username as John* to get a list of all users who's name is John.
The result will look like:
"CN=John.Smith,CN=Users,DC=MyDomain,DC=com"
- In Symantec Reporter's LDAP/Directory settings, when asked for a User Base DN, enter:
CN=Users,DC=MyDomain,DC=com
Now for Groups I would execute this.
Finding the Group Base DN
Open a Windows command prompt.
Type the command:
dsquery group -name <known group name>.
Example: If you are searching for a group called Users, you can enter the group name as Users* to get a list of all groups who's name contains "Users"
The result will look like:
"CN=Users,CN=Builtin,DC=MyDomain,DC=com"
In Symantec Reporter's LDAP/Directory settings, when asked for a User Base DN, enter:
CN=Users,CN=Builtin,DC=MyDomain,DC=com
I don’t think this is a Graylog issue, I believe you need the correct configurations and/or permission
on the Attribute mapping for groups in the active directory.
You can narrow your user and group search patterns - Is the user a member of Graylog_Kahunas…
User search pattern: (&(objectClass=user)(sAMAccountName={0})(objectCategory=person)(memberOf=CN=graylog_kahunas,OU=admin_groups,OU=permissions,OU=process,DC=comapny,DC=tld))
Group search pattern: (&(objectClass=group)(cn=graylog_kahunas))
