@knobbysideup The “ID Attribute” (which defaults to entryUUID) must be a unique ID that doesn’t change when, let’s say, the username changes. Graylog is using that ID as reference to find the user in LDAP, even when username and others change.
So using the surname is not a good option here. After some research it looks like that in FreeIPA that attribute is uid.
UPDATE: Using uid is wrong, see my next post below. Sorry for the confusion.
@knobbysideup I did some more research. For FreeIPA you actually want to use the ipaUniqueID attribute for the ID attribute value.
If you still see the same issue, you might need to adjust your “Search Pattern” setting. You want to include objectClass=person. Full pattern example: (&(objectClass=person)(uid={0}))
I just got a chance to try this. The problem persists. I don’t know why. According to https://www.freeipa.org/page/FreeIPAv2:DS_Design_Summary that attribute is the one that should be used. If I use sn or surname, I don’t get the error.
I have it working now. I was not using an account to bind. After configuring to bind with a system account, I am able to now read the ipauniqueid attribute.