New Graylog install, AD users not found

I’ve never once gotten this to work and am now determined to. I have a brand new Graylog 4.0 installation set up. I’m trying to get AD authentication working, but limit who can log into the system using a group.

Search Base DN: DC=DOMAIN,DC=COM
Search Pattern: (&(objectCategory=person)(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0})))

This works, but allows every domain user to log in. Not ideal.

Search Base DN: DC=DOMAIN,DC=COM
Search Pattern: (&(memberOf=CN=Domain Users,CN=Users,DC=DOMAIN,DC=COM)(objectCategory=person)(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0})))

This however does not. When I test an account, it says no user found. It doesn’t matter what group I put in there, I only used Domain Users to highlight the absurdity of the issue. As far as I can see based on previous threads, it is supposed to work but simply doesn’t. Please help.

Thanks,

Ben

Hey @benutne, here’s what we use that works well. This allows us to map administrative users to admin roles and non-administrative users to reader roles.

Search base DN:
ou=enterprise,dc=contoso,dc=com

Search pattern:
(&(|(memberof=CN=Graylog Admins,OU=Security Groups,OU=Enterprise,DC=contoso,DC=com)(memberof=CN=Graylog Users,OU=Security Groups,OU=Enterprise,DC=contoso,DC=com))(sAMAccountName={0}))

Here is exactly what I have in my search pattern (with the actual domain replaced with contoso)

Search Base DN:
DC=chicago,DC=contoso,DC=com

Search pattern:
(&(sAMAccountName={0})(memberOf=CN=Domain Users,CN=Users,DC=chicago,DC=contoso,DC=com))

And I get nothing returned. When I remove the memberOf part and just leave it as follows:

Search pattern:
(&(sAMAccountName={0}))

The exact same user is able to verify.

is chicago actually a domain component? or is it an organizational unit?

DC. I was able to figure it out though. The ability to view group membership is not available to every user in our domain. I had to make a permission change to allow the account setup to bind to the AD to pull that attribute from the user. Seems that has been my issue all along. Thanks for taking the time to help.

1 Like

Awesome, glad you figured it out! I suggested DC versus OU because sometimes fresh eyes see something simple.