Removing cn=people and cn=Graylog did not trick! Thank you!! I want to understand everything that is happening, I hope you don't mind me tapping your brain some more.
The Search Base DN is telling GL to search, in my example, the domainname.corp for users. The search pattern specifically looks for an object class called user followed by their account name. Display Name Attribute tells GL how to display the name. Group Search then looks for groups listed under the OU of Roles and again in the domain. Then an object class of group followed by a name of Graylog*. So putting too much search criteria can cause an issue because you're looking to definitively, but broadening the scope allowed it to work. Is that correct? Thank you again for your help! This community has been very quick and eager to assist. -Joshua On Tue, Aug 2, 2016 at 5:49 PM, Pete GS <[email protected]> wrote: > Ah! I would remove the "cn=people" from your search base and the > "cn=Graylog*" from your Group search base and Group search pattern to start > with. > > If the number of groups returned is too large, you can try adding the > "cn=Graylog*" back to just the search pattern entry. > > If all your accounts are in an OU called "people" and you want to restrict > user searches to this OU, the correct syntax would be > "ou=people,dc=domainname,dc=corp". > > Cheers, Pete > > On Wednesday, 3 August 2016 09:36:18 UTC+10, Joshua Walderbach wrote: >> >> So while I can log in as a domain user, the test and user login work in >> the LDAP settings page, under LDAP Group Mapping it says: >> >> "No LDAP/Active Directory groups found. Please verify that your LDAP >> group mapping <https://graylog.influence-technologies.com/system/ldap> >> settings >> are correct." >> >> If I click on that link, it takes me to my LDAP Settings page. Here is >> my settings now: >> >> >> >> >> On Tue, Aug 2, 2016 at 5:24 PM, Pete GS <[email protected]> wrote: >> >>> Glad to hear it! >>> >>> If your company uses AD for authentication, then using AD groups will >>> make it nice and easy to automatically assign roles to users via AD group >>> membership. >>> >>> The second part of my email was about that topic. >>> >>> Once LDAP is configured, navigate to the LDAP Group Mapping tab where >>> you should see a list of all your AD groups. Simply use the pull down >>> beside the appropriate groups to assign the Graylog role to the group. >>> >>> One point to note is make sure your users are members of only one >>> Graylog related group. Some applications/systems don't work well when a >>> user is mapped to multiple groups that it uses for authentication and this >>> can cause unexpected results. I'm not sure if Graylog has issues with this >>> or not but it's safer just to ensure each user is a member of one group >>> only that's used for Graylog LDAP group mapping. >>> >>> Hope that answers your question. >>> >>> Cheers, Pete >>> >>> On Wednesday, 3 August 2016 08:57:24 UTC+10, Joshua Walderbach wrote: >>>> >>>> Ok I got it to work, I can log in as a domain user. However editing my >>>> user to be Admin doesn't stick. I see it wants me to bind AD Groups to >>>> Graylog Roles. Can you point me in the right direction there? >>>> >>>> On Tue, Aug 2, 2016 at 4:11 PM, Pete GS <[email protected]> wrote: >>>> >>>>> Hmmmm seems my updates to my fields didn't get saved for some reason. >>>>> >>>>> Simply substitute the distinguished name "dc=company,dc=corp" for >>>>> "dc=lab,dc=melbourneit,dc=com". >>>>> >>>>> All else should stay the same. >>>>> >>>>> Cheers, Pete >>>>> >>>>> On Wednesday, 3 August 2016 06:08:11 UTC+10, Joshua Walderbach wrote: >>>>>> >>>>>> I need help getting the correct Search Base DN, User Search Pattern, >>>>>> and Group Mapping variables in Graylog 2.x. I'm using Active Directory >>>>>> and >>>>>> after entering information into step 1., Test Server Connection is OK. >>>>>> In >>>>>> my domain, company.corp, there is a OU called Roles and in that a Group >>>>>> called Graylog. I've assigned users to the Group. I've tried several >>>>>> different combinations and unable to get anything to work when I run a >>>>>> Login test. Fails to connect or find user. >>>>>> >>>>>> Would anyone be so kind to explain what I need to do here? AD is a >>>>>> major weak spot for me. Working on that. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> <https://lh3.googleusercontent.com/-dtCxwuC6JA0/V6D9QFpfAWI/AAAAAAAAARo/KxXlH6cFqlIc6urPaQJXGeTtfhCuLPKvgCLcB/s1600/Screenshot%2Bfrom%2B2016-08-02%2B14-06-10.png> >>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "Graylog Users" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/graylog2/5LG1b_2a5AU/unsubscribe. >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/graylog2/22fa0696-13fb-4e17-8470-52e00912ad78%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/graylog2/22fa0696-13fb-4e17-8470-52e00912ad78%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADR58eQz%3DNeevcT4qm77qyeibN_ycAQ0VMtEV0sZRnpequee_Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
