[SOLVED] Problems with LDAP

Hello,

I made myself a demo graylog on debian. I’m using the last version (3.0.1)

I’m getting issues with a connection to an enhanced samba 4 directory (univention for connoisseurs).
Here they are:

  • connection to directory is alright :

  • user mapping is alright as well

  • group mapping options is alright as in : I can connect any user with my default roles (basically read-only access)
    but … I would like to use two groups : a read-only and an admin group and map roles automatically.
    The groups I created in my directory are GRP_graylog_users and GRP_graylog_admin

Here are my group mapping settings :

Symptoms :

  • when I visit graylog server logs : I’m getting :

2019-04-04T16:37:37.703+02:00 WARN [LdapNetworkConnection] null
java.lang.NullPointerException: null
at org.apache.directory.ldap.client.api.LdapNetworkConnection.messageReceived(LdapNetworkConnection.java:2040) ~[graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:997) ~[graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:641) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1114) [graylog.jar:?]
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:236) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:641) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1114) [graylog.jar:?]
at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:326) [graylog.jar:?]
at org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:712) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:767) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:48) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1141) [graylog.jar:?]
at org.apache.mina.core.filterchain.IoFilterAdapter.filterClose(IoFilterAdapter.java:145) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:767) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1600(DefaultIoFilterChain.java:48) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:1141) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.filterClose(DefaultIoFilterChain.java:1025) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:767) [graylog.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:760) [graylog.jar:?]
at org.apache.mina.core.session.AbstractIoSession.closeNow(AbstractIoSession.java:353) [graylog.jar:?]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.close(LdapNetworkConnection.java:883) [graylog.jar:?]
at org.graylog2.rest.resources.system.ldap.LdapResource.readGroups(LdapResource.java:325) [graylog.jar:?]
at sun.reflect.GeneratedMethodAccessor412.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_212]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_212]
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?]
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?]
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?]
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?]
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?]
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?]
at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?]
at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_212]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_212]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_212]

When I click on image
I get … nothing.

Do you have and idea ?

Thanks ahead !

are your users directly in that groups or did you have groups in that groups?

I read about the groups in groups problem, so I tried to avoid this situation.

I have users directly in a “users” container and groups directly in a “groups” container . And obviously, I have users in my groups, but no groups in groups.

I have extra news on this to help us :

I wrote this in graylog log4j file :

   <!-- DEBUG for LDAP authentication -->
    <Logger name="org.graylog2.security.ldap.LdapConnector" level="trace"/>

and then I figured out watching the logs that I have almost exactly the same result when I test the server connection (which is nonetheless positive) as when I test my group mapping.

Result is:

  • trace didn’t inform me of anything more than warn level
  • there is only one line different between the two :

LDAP Connection test :

at org.graylog2.rest.resources.system.ldap.LdapResource.testLdapConfiguration(LdapResource.java:212) [graylog.jar:?]

LDAP Group mapping button :

at org.graylog2.rest.resources.system.ldap.LdapResource.readGroups(LdapResource.java:325) [graylog.jar:?]

… and I am now even more confused :smiley:

If I recall correctly - I’m probably not, but hey - Univention really attempts to be much like AD - I notice in your setup that you’ve toggled to LDAP and not AD, see if changing that makes any sort of difference.

Other than that, I’m fresh out of ideas :frowning:

Sadly, I tested the AD connection without success.
Using AD connector, I’m not even able to connect users.

Then I’m all out of ideas - maybe try and see if an ldapsearch from the command line with the group filter you specified results in anything, just to figure out where the problem lies…

That’s really fine. Thanks for your time anyway !
I just solved it ! It was a ldap search syntax issue :

This works as a group search pattern (using the operator | )
(|(cn=GRP_graylog_users)(cn=GRP_graylog_admin))
Then the 2 groups are found, and you can map them to the roles.
Maybe it should be useful to add this example to the doc ?

Ah! Okay, let me show you how we did it:

Group Search Base DN: ou=groups,dc=redacted,dc=redacted
Group Search Pattern: (objectClass=groupOfNames)
Group Name Attribute: cn

This loads all objects that are of class groupOfNames which in our case works out (mainly because we set it up that way - Univention may set it up as groupOfUniqueNames, or just PosixGroup - but you can do that in the pattern with the | modifier as well.

The idea is that you fetch all groups and the mapping determines who gets rights, in your case you explicitly load only 2 groups and then map them, which means if you add groups later on, you’ll have to edit the pattern.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.