I’ve never once gotten this to work and am now determined to. I have a brand new Graylog 4.0 installation set up. I’m trying to get AD authentication working, but limit who can log into the system using a group.
Search Base DN: DC=DOMAIN,DC=COM Search Pattern: (&(objectCategory=person)(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0})))
This works, but allows every domain user to log in. Not ideal.
Search Base DN: DC=DOMAIN,DC=COM Search Pattern: (&(memberOf=CN=Domain Users,CN=Users,DC=DOMAIN,DC=COM)(objectCategory=person)(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={0})))
This however does not. When I test an account, it says no user found. It doesn’t matter what group I put in there, I only used Domain Users to highlight the absurdity of the issue. As far as I can see based on previous threads, it is supposed to work but simply doesn’t. Please help.
Hey @benutne, here’s what we use that works well. This allows us to map administrative users to admin roles and non-administrative users to reader roles.
DC. I was able to figure it out though. The ability to view group membership is not available to every user in our domain. I had to make a permission change to allow the account setup to bind to the AD to pull that attribute from the user. Seems that has been my issue all along. Thanks for taking the time to help.
