Unable to configure External Authentication on GrayLog- LDAP/Active Directory and SSO Authentication

Hi Everybody,

I am new to Graylog, working on POC to implement GrayLog for all our applications and I am unable to configure external authentications like SSO and LDAP/Active Directory. We followed this documentation https://docs.graylog.org/en/3.1/pages/users_and_roles/external_auth.html

For LDAP/Active Directory:
Test server connection is getting successful but test login is failing, so suspecting something we are doing wrong on User Mapping section.

image931×321 24.1 KB

We are getting below error when we try to test login

Connection failed

• User found

• Login attempt

Server response

Binding with empty principal is forbidden.

User’s LDAP attributes

LDAP server did not return any attributes for the user.

User’s LDAP groups

LDAP server did not return any groups for the user.

For SSO, we have given trusted proxy as 127.0.0.1/32, 0:0:0:0:0:0:0:1/128 but user is unable to login using SSO as well.

Can someone help how we can fix these issues? I appreciate any help!

1. Did you 100% sure, that user you want to authenticate, is member of Organization unit (OU): Ruffalo Noel Levitz
2. If not, or want to find users in more OU, it’s better to setup Search Base DN: DC=rufallo,DC=int (so you search whole domain), and after that use LDAP filter setup in parameter User Search Pattern.
3. I usually use want only member of specific group to login to graylog, so create group for example Graylog_users and add members of this group to it. After that use filter in field: User Search Pattern: like this:

(&(objectCategory=person)(objectClass=user)(memberOf=CN=Graylog_users,CN=Users,DC=ruffalo,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This parameter in LDAP filter ensure, that locked users can’t login:

!(userAccountControl:1.2.840.113556.1.4.803:=2)

If you also want add nested group (not only user accounts) to your Graylog_users group, you can use this filter:

(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Graylog_users,CN=Users,DC=ruffalo,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Check also this great articles:
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

Hello! My name is Alex, and I am a server engineer. I work with Dheeraj at RNL.

Our AD structure is as follows:

-Root Domain: ruffalo.int
--OU: Ruffalo Noel Levitz
---OU: Security Groups
----OU: Resource Access Groups
-----CN: Graylog_Users
-----CN: RNLDevOpsSec
---OU: User Accounts
----OU: Vendor Accounts
-----Graylog User Accounts are in this OU

The RNLDevOpsSec group is inside the Graylog_Users group.

As recommended we set the Search Base DN to the entire domain (DC=ruffalo,DC=int) and set the user search pattern as follows:
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Graylog_users,DC=ruffalo,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

We modeled this on a combination of the suggestion above and this article because it included a lookup for a nested group. My understanding is that this pattern parses to “Users in the Graylog_users group within the ruffalo.int domain if the user is not locked out.”

This still did not succeed so we also tried setting the Group Mapping section, which says it’s optional. Also DC=ruffalo,DC=int, group search pattern of (&(objectClass=group)(cn=graylog*)) and Group Name Attribute of cn.

No matter what we do the server succeeds in its test connection but users are not found, let alone login attempts, with the same “Binding with empty principal is forbidden” error.

I’m sure our search patterns are incorrect somewhere but I’ve tried the ones suggested above as well as allowing the entire domain to be searched indiscriminately and nothing seems to succeed.

Thanks!

nested groups are currently not possible in Graylog.

@jan We use nested group in user mapping with no problem. This User search pattern works for us:

(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=Graylog_users,CN=Users,DC=domain,DC=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This ldap filter find only users (not contacts as default graylog suggested query), which are members of group Graylog_users (this group can also contain another group, not only user accounts) and don’t allow to log in blocked users.

Sorry, I previously posted bad query without parameter sAMAccountName (which is required by graylog), so good one for you should be:

(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=CN=Graylog_users,DC=ruffalo,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

A suggest test your LDAP filter before using it in graylog for example in mmc console Active Directory Users and Computers, section Saved Queries. Create new query name it, then click on Define Query button from selectbox Find: on top select Custom Search, click to tab Advanced and paste your tested LDAP query (filter). Paste it without block (sAMAccountName={0}), and test it (it should show correct users). If it works, insert tested LDAP query back to graylog and add section (sAMAccountName={0}) back.
Check also this article about, how to create AD query in mmc:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.