Never mind, figured it out.
Just changed the user search pattern to check for group membership
(&(objectClass=user)(sAMAccountName={0})(|(memberof=CN=Graylog-Reader,OU=Groups,DC=yourdomain,DC=yourdomain)(memberof=CN=Graylog-Admin,OU=Groups,DC=yourdomain,DC=yourdomain)))
Now if the user isn't a member of one of those groups, they can't login to
graylog.
On Friday, January 22, 2016 at 11:48:44 AM UTC-8, Frank wrote:
>
> I have ldap and group mappings all configured and working, but I would
> like to restrict users that aren't in one of the group mappings to
> basically have no access.
>
> Is there any way to do this?
>
> I don't want to have to move user's AD accounts into a specifc Graylog OU
> because we already have a hierarchy in place that I don't want to mess
> with, I would just like an option in the LDAP configuration to change the
> default role to NONE or no access or something.
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/58d2ae28-b354-45b9-8b3e-1fdb414b281b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
