New Install - AD Failing

Description of your problem

We’ve installed Graylog on a RHEL7.9 to replace the existing one. Active Directory set up is not working - getting failed authentications. The same set up works fine on the existing server.

Description of steps you’ve taken to attempt to solve the issue

I’ve tried two scenarios but different result each time.
First Scenario - No System User DB and No system Password
“Test Server Connection” is successful
“User Login test” fails with the error shown below.
There was an error fetching a resource: Bad Request. Additional information: Null value (through reference chain: org.graylog.security.authservice.test.AutoValue_AuthServiceBackendTestRequest$Builder[“user_login”]->org.graylog.security.authservice.test.AuthServiceBackendTestRequest$UserLogin[“password”])
false

Second Scenario - With System User DB and System Password working fine on old Graylog server
“Test Server Connection” fails with the error shown below:
There was an error fetching a resource: Bad Request. Additional information: Null value (through reference chain: org.graylog.security.authservice.test.AutoValue_AuthServiceBackendTestRequest$Builder[“backend_configuration”]->org.graylog.security.authservice.$AutoValue_AuthServiceBackendDTO$Builder[“config”]->org.graylog.security.authservice.backend.AutoValue_ADAuthServiceBackendConfig$Builder[“system_user_password”])
false
GrayLog_AD_UserLogin_Error_2.PNG

Environmental information

Operating system information

  • RHEL7.9

Package versions

Various versions:
Java - 1.8.0_281
Mongodb - 5.0.2
ElasticSearch - 7.10.2
Graylog - 4.1.2

Existing Graylog version: 2.3.2 => working fine

Hello && Welcome

Even thou it worked before on 2.3 you performed an upgrade two version from what worked before. Things have changed since then.

  • Was these AD setting carried from Graylog Version 2.3 or did you configure a new connection to your AD?
  • If these setting were from the older version of graylog, have you tried to create a new connection to your AD?.

Correct me if I’m wrong.
The Server Address, Port (I’m assuming your using 389), System User DN, and System Password that was configured is correct when you tested the connection?

Then you went to User synchronization under User login Test and it failed?

  • Did you try a different user on your AD?
  • Does the System User DN have correct permissions for initial connection to the Active Directory server or did the password expire?

Hello, thanks for replying.

This is not an upgrade, instead it is a fresh install on a new server.

Answers to both your questions is yes.

Server Test connection is successful when I don’t enter username/password. It is successful again with just the username and no password (it is perhaps not attempting to authenticate). However as soon as I enter the password, server connection fails.

I did enter the necessary search strings etc on the next page and tried user testing but it failed too.

We are using the same user which currently is being used on working Graylog, so I think the account (is a system account) is active, it is being used across other CIs without any issues.

Thank you,
Ketan

Hello

I apologies ahead of time, I’m a little tired.

Your referring to System User DN? am I correct?

This is without using the System User DN? Am I correct?

This is where I’m confused. Could you explain a little more.

EDIT: Shown in this picture it works, Correct.

As soon as you execute “User Login Test” shown in this picture it does not work, correct?

EDIT2: Basically you have a binding issue with you active directory. This is is normally cause by a configuration issue. Showing how you configured you active directory settings would be appreciated.

Hello,

Your referring to System User DN? am I correct?
Yes, you are correct. I am referring to the configuration on the first page under Authentication for setting up Active Directory. Both the user name as well as password are optional.

This is without using the System User DN? Am I correct?
Yes, Server connection test is successful:
without System User DN and without password
with System User DN and no password

It fails when I enter the password along with System User DN. Please see the screenshot below. As a new member I can post only one image at a time. First one below. Adding two more separately.

Thank you
Ketan

With IP address and System User DN (no password yet) - successful

With IP, System User DN, Password - Fails

Try not to use someone@domain.com Just use someone and then password.
@k2pattu
Here is mine, maybe it might help


Edit: I would double check you user/password for your System User DN. Something seams incorrect.
For testing purposes can you make a new User for this connection? Make sure it have the right Permissions to connect to AD.

Hi, I’ve tried with the new user with correct credentials but the result is still the same :frowning: Any other possible suggestions? Why does the error says "system_user_password? It comes up as soon as I click test which makes me think it is failing even before reaching to AD server. Anything to do with Java?

Hi @k2pattu
I still don’t understand, why are you trying to create empty user if you want to use LDAP? Because if you correctly setup LDAP authentication in graylog, users in graylog are created automatically after first user login to graylog web ui. You don’t have to create empty user at all.

One advice: Never use 389 port for LDAP without TLS, because passwords goes through network in clear text. Either use port 636 or 389 with StartTLS if your LDAP server supports it.

2 Likes

Hello,

Judge from the error system_user_password it seams that the user to bind with your LDAP server maybe incorrect.

For troubleshooting have you tried using your personal credentials for System User DN ?

Are you running Windows OS for your LDAP? If so, You can use the following to check your settings.

PS C:\ > dsquery *

There are a couple ways you can test this with in Linux commands. It may shed some light on what the problem is.

ldapsearch

And

ldapwhoami

I also agree with @shoothub I would defiantly use TLS/ 636.

Hello,

I am not trying to create any user. I am just going through the process of setting up AD authentication and in the process entering the values as asked on the screen. I am at the first stage of Server Connection because there is no point in proceeding with second stage “User Synchronization” if the server connection is failing in the first stage. Is my assumption correct?

I’ve tried different combinations with port - TLS/StartTLS, Verify Cert with port numbres 389, 636. I get more or less the same error - system_user_password. I have used different accounts including mine but that fails too. To me it seems the server is not able to pick up the password.

Thanks
Ketan

Hi,

On Graylog site, I compared different versions. We are using Open (Free version). It seems it allows LDAP/AD integration but Active Directory User Lookup (Data Adapter) and LDAP Groups Integration is not allowed. Could this have anything to do with authentication failing?

Thank you
Ketan

Hello,

The user your using needs to match the userPrincipalName of that user. in your LDAP server.

I agree

What I showed you above is the free version.

EDIT:
Here are the steps I did to try to solve your issue.

  • Logon to Active directory
  • Create a random user account with “administrator” permissions in my DOMAIN. This requires a USERNAME and PASSWORD.
  • Logon to Graylog Server WEB UI
  • Create an Authentication Service Active Directory using port 389
  • Tested the server connection (passed)
  • Used my user account with my password I created in Active directory for the System User DN.
  • Tested the server connection (passed)
  • Then I tested “User Login Test”, I used a different user in my domain for this test
  • The test Passed.
  • logged out of the Web UI
  • Logged back in my Graylog server use someone’s else’s Username/Password in my domain. This created there account and was able to login

That’s it.

Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.