You can pretty much copy the examples provided verbatim for it to work. In our test lab environment I just use the provided examples with our domain etc. substituted.
Our Production AD is quite different though and very large with many OU's, so I have to be more specific in that scenario. One key item to note that I learnt a long time ago in an unrelated scenario though is to use the Delegate Control Wizard in Active Directory to grant the user you use for LDAP lookups permissions to read all user attributes. Without doing this, some user attributes are unavailable and this can impact the ability to lookup group memberships. In my scenario I have a domain user called "[email protected]" that is only a member of Domain Users. I have run the Delegate Control Wizard to assign the task "Read all user information" Here's my guess at the entries you need: 3. User mapping Search Base DN The base tree to limit the Active Directory search query to, e.g. cn=users,dc=example,dc=com. User Search Pattern For example (&(objectClass=user)(sAMAccountName={0})). The string {0} will be replaced by the entered username. Display Name attribute Which Active Directory attribute to use for the full name of the user in Graylog, e.g. displayName. Try to load a test user using the form below, if you are unsure which attribute to use. 4. Group Mapping(optional) Group Search Base DN The base tree to limit the Active Directory group search query to, e.g. cn=users,dc=example,dc=com. Group Search Pattern The search pattern used to find groups in Active Directory for mapping to Graylog roles, e.g. (objectClass=group)or (&(objectClass=group)(cn=graylog*)). Group Name Attribute Which Active Directory attribute to use for the full name of the group, usually cn. Note that I haven't specified the "Roles" OU or the group name "Graylog". Instead, I use the LDAP group mapping to do this. I have two groups "GraylogAdmins" and "GraylogUsers" that are mapped via the LDAP Group Mapping page. The Admins role is the default built in role, but ReadAll is a user defined role with read privileges on a stream that allows users to read all incoming data. - - GraylogAdmins NoneAdminReadAllReader - - - - - - - GraylogUsers NoneAdminReadAllReader - I hope that helps. Cheers, Pete On Wednesday, 3 August 2016 06:08:11 UTC+10, Joshua Walderbach wrote: > > I need help getting the correct Search Base DN, User Search Pattern, and > Group Mapping variables in Graylog 2.x. I'm using Active Directory and > after entering information into step 1., Test Server Connection is OK. In > my domain, company.corp, there is a OU called Roles and in that a Group > called Graylog. I've assigned users to the Group. I've tried several > different combinations and unable to get anything to work when I run a > Login test. Fails to connect or find user. > > Would anyone be so kind to explain what I need to do here? AD is a major > weak spot for me. Working on that. > > > > > <https://lh3.googleusercontent.com/-dtCxwuC6JA0/V6D9QFpfAWI/AAAAAAAAARo/KxXlH6cFqlIc6urPaQJXGeTtfhCuLPKvgCLcB/s1600/Screenshot%2Bfrom%2B2016-08-02%2B14-06-10.png> > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1ce7c54f-958b-4d53-b1b8-9ce8d7224fab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
