Stopping Active Directory users having default Graylog access

I have Active Directory integration setup with LDAP group mapping working.

However I find that all AD users are granted a Reader role within the application by default.

By default I don’t want AD users to have a Graylog account at all, only those within the mapped AD groups setup in LDAP group mappings should have access to Graylog.

I’ve tried removing the Default User Role in the LDAP settings but it just sets back to Reader again.

Can I default block access to Graylog while still retaining AD integration?

To add to this if I create a new AD group called Graylog_Blocked, add a user to it and set the Group to have Role: None in the LDAP group mappings, the members of the Graylog_Blocked group still appear to get Reader access even with Role group assigned to None.

Please use LDAP filter for users, so it will contain only members of group.

  1. Your User Search Pattern probably is probably too wide, so it can include also another users. Use rather filter like this which include user members of group Graylog_users:
    (&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberOf:CN=Graylog_users,DC=domain,DC=net)))
  2. I always try to use filter using AD mmc filter or powershell to check if it works (to debug), only remove part (sAMAccountName={0})
    https://theitbros.com/ldap-query-examples-active-directory/

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.