Unknown attribute issue LDAP integration with Active Directory


#1

I am trying to connect graylog to ldap via my active directory server.

Test connection works fine to AD and I am able to do the user login test successfully. No groups are being pulled, however.

For example, I have a user inside of ou=Annex,ou=Admin,ou=Staff,dc=company,dc=com

I also created a group in the above OU called Graylog2

But I get the below warning…

2017-05-08T23:42:20.193-04:00 WARN [LdapConnector] Unknown group id attribute CN=Graylog2, skipping group entry Entry

User mapping
Search Base DN | ou=Annex,ou=Admin,ou=Staff,dc=company,dc=com
User Search Pattern | (&(objectClass=user)(sAMAccountName={0}))
Display Name attribute | displayName

Group Mapping
Group Search Base DN | ou=Annex,ou=Admin,ou=Staff,dc=company,dc=com
Group Search Pattern | (objectClass=group) … I have also tried (&(objectClass=group)(cn=Graylog2)).
Group Name Attribute | CN=Graylog2

I have no idea what I am doing wrong.


(Jan Doberstein) #2

if you try to get nested groups working - that is currently not possible with Graylog.


(nomoresecrets) #3

if you just want a simple “if user is in group $foo allow access to graylog” filter: LDAP Query Group


#4

So I moved the group Graylog2 to cn=Users,dc=company,dc=com and created a user called grayuser there.

Now my search base DN and group search base DN are both: cn=Users,dc=company,dc=com

When I test with grayuser I get the below log…

2017-05-09T14:34:12.145-04:00 WARN [LdapConnector] Unknown group id attribute CN=Graylog2, skipping group entry Entry
dn: CN=Graylog2,CN=Users,dc=company,dc=com
objectClass: top
objectClass: group
member: CN=graylog user.,CN=Users,dc=company,dc=com

It is also still not pulling any LDAP groups.


#5

What are you using for the Group Mapping “Group Name Attribute”? “name” should work, but you could try “sAMAccountName” as well.


#6

My user search pattern is (&(objectClass=user)(sAMAccountName={0}))