We’ve installed Graylog on a RHEL7.9 to replace the existing one. Active Directory set up is not working - getting failed authentications. The same set up works fine on the existing server.
Description of steps you’ve taken to attempt to solve the issue
I’ve tried two scenarios but different result each time.
First Scenario - No System User DB and No system Password
“Test Server Connection” is successful
“User Login test” fails with the error shown below.
There was an error fetching a resource: Bad Request. Additional information: Null value (through reference chain: org.graylog.security.authservice.test.AutoValue_AuthServiceBackendTestRequest$Builder[“user_login”]->org.graylog.security.authservice.test.AuthServiceBackendTestRequest$UserLogin[“password”])
false
Second Scenario - With System User DB and System Password working fine on old Graylog server
“Test Server Connection” fails with the error shown below:
There was an error fetching a resource: Bad Request. Additional information: Null value (through reference chain: org.graylog.security.authservice.test.AutoValue_AuthServiceBackendTestRequest$Builder[“backend_configuration”]->org.graylog.security.authservice.$AutoValue_AuthServiceBackendDTO$Builder[“config”]->org.graylog.security.authservice.backend.AutoValue_ADAuthServiceBackendConfig$Builder[“system_user_password”])
false
Even thou it worked before on 2.3 you performed an upgrade two version from what worked before. Things have changed since then.
Was these AD setting carried from Graylog Version 2.3 or did you configure a new connection to your AD?
If these setting were from the older version of graylog, have you tried to create a new connection to your AD?.
Correct me if I’m wrong.
The Server Address, Port (I’m assuming your using 389), System User DN, and System Password that was configured is correct when you tested the connection?
This is not an upgrade, instead it is a fresh install on a new server.
Answers to both your questions is yes.
Server Test connection is successful when I don’t enter username/password. It is successful again with just the username and no password (it is perhaps not attempting to authenticate). However as soon as I enter the password, server connection fails.
I did enter the necessary search strings etc on the next page and tried user testing but it failed too.
We are using the same user which currently is being used on working Graylog, so I think the account (is a system account) is active, it is being used across other CIs without any issues.
EDIT2: Basically you have a binding issue with you active directory. This is is normally cause by a configuration issue. Showing how you configured you active directory settings would be appreciated.
Your referring to System User DN? am I correct?
Yes, you are correct. I am referring to the configuration on the first page under Authentication for setting up Active Directory. Both the user name as well as password are optional.
This is without using the System User DN? Am I correct?
Yes, Server connection test is successful:
without System User DN and without password
with System User DN and no password
It fails when I enter the password along with System User DN. Please see the screenshot below. As a new member I can post only one image at a time. First one below. Adding two more separately.
Edit: I would double check you user/password for your System User DN. Something seams incorrect.
For testing purposes can you make a new User for this connection? Make sure it have the right Permissions to connect to AD.
Hi, I’ve tried with the new user with correct credentials but the result is still the same Any other possible suggestions? Why does the error says "system_user_password? It comes up as soon as I click test which makes me think it is failing even before reaching to AD server. Anything to do with Java?
Hi @k2pattu
I still don’t understand, why are you trying to create empty user if you want to use LDAP? Because if you correctly setup LDAP authentication in graylog, users in graylog are created automatically after first user login to graylog web ui. You don’t have to create empty user at all.
One advice: Never use 389 port for LDAP without TLS, because passwords goes through network in clear text. Either use port 636 or 389 with StartTLS if your LDAP server supports it.
I am not trying to create any user. I am just going through the process of setting up AD authentication and in the process entering the values as asked on the screen. I am at the first stage of Server Connection because there is no point in proceeding with second stage “User Synchronization” if the server connection is failing in the first stage. Is my assumption correct?
I’ve tried different combinations with port - TLS/StartTLS, Verify Cert with port numbres 389, 636. I get more or less the same error - system_user_password. I have used different accounts including mine but that fails too. To me it seems the server is not able to pick up the password.
On Graylog site, I compared different versions. We are using Open (Free version). It seems it allows LDAP/AD integration but Active Directory User Lookup (Data Adapter) and LDAP Groups Integration is not allowed. Could this have anything to do with authentication failing?