Unknown attribute issue LDAP integration with Active Directory

I am trying to connect graylog to ldap via my active directory server.

Test connection works fine to AD and I am able to do the user login test successfully. No groups are being pulled, however.

For example, I have a user inside of ou=Annex,ou=Admin,ou=Staff,dc=company,dc=com

I also created a group in the above OU called Graylog2

But I get the below warning…

2017-05-08T23:42:20.193-04:00 WARN [LdapConnector] Unknown group id attribute CN=Graylog2, skipping group entry Entry

User mapping
Search Base DN | ou=Annex,ou=Admin,ou=Staff,dc=company,dc=com
User Search Pattern | (&(objectClass=user)(sAMAccountName={0}))
Display Name attribute | displayName

Group Mapping
Group Search Base DN | ou=Annex,ou=Admin,ou=Staff,dc=company,dc=com
Group Search Pattern | (objectClass=group) … I have also tried (&(objectClass=group)(cn=Graylog2)).
Group Name Attribute | CN=Graylog2

I have no idea what I am doing wrong.

if you try to get nested groups working - that is currently not possible with Graylog.

if you just want a simple “if user is in group $foo allow access to graylog” filter: LDAP Query Group

So I moved the group Graylog2 to cn=Users,dc=company,dc=com and created a user called grayuser there.

Now my search base DN and group search base DN are both: cn=Users,dc=company,dc=com

When I test with grayuser I get the below log…

2017-05-09T14:34:12.145-04:00 WARN [LdapConnector] Unknown group id attribute CN=Graylog2, skipping group entry Entry
dn: CN=Graylog2,CN=Users,dc=company,dc=com
objectClass: top
objectClass: group
member: CN=graylog user.,CN=Users,dc=company,dc=com

It is also still not pulling any LDAP groups.

What are you using for the Group Mapping “Group Name Attribute”? “name” should work, but you could try “sAMAccountName” as well.

My user search pattern is (&(objectClass=user)(sAMAccountName={0}))