No problems at all Joshua, glad I could help! And yes, essentially it looked like your search was being too specific.
The other part is the "cn=people". "cn" refers to an AD container eg. user or group. "ou" refers to an AD Organisational Unit. So if "people" is actually an OU, the syntax should be "ou=people". In our Production environment I need to have a more direct base DN due to the large structure, so I have to specify "ou=blah,dc=blah,dc=com" to make it work. Cheers, Pete On Wed, Aug 3, 2016 at 1:33 PM, Joshua Walderbach <[email protected]> wrote: > Removing cn=people and cn=Graylog did not trick! Thank you!! I want to > understand everything that is happening, I hope you don't mind me tapping > your brain some more. > > The Search Base DN is telling GL to search, in my example, the > domainname.corp for users. The search pattern specifically looks for an > object class called user followed by their account name. Display Name > Attribute tells GL how to display the name. Group Search then looks for > groups listed under the OU of Roles and again in the domain. Then an > object class of group followed by a name of Graylog*. So putting too much > search criteria can cause an issue because you're looking to definitively, > but broadening the scope allowed it to work. Is that correct? > > Thank you again for your help! This community has been very quick and > eager to assist. > > -Joshua > > On Tue, Aug 2, 2016 at 5:49 PM, Pete GS <[email protected]> wrote: > >> Ah! I would remove the "cn=people" from your search base and the >> "cn=Graylog*" from your Group search base and Group search pattern to start >> with. >> >> If the number of groups returned is too large, you can try adding the >> "cn=Graylog*" back to just the search pattern entry. >> >> If all your accounts are in an OU called "people" and you want to >> restrict user searches to this OU, the correct syntax would be >> "ou=people,dc=domainname,dc=corp". >> >> Cheers, Pete >> >> On Wednesday, 3 August 2016 09:36:18 UTC+10, Joshua Walderbach wrote: >>> >>> So while I can log in as a domain user, the test and user login work in >>> the LDAP settings page, under LDAP Group Mapping it says: >>> >>> "No LDAP/Active Directory groups found. Please verify that your LDAP >>> group mapping <https://graylog.influence-technologies.com/system/ldap> >>> settings >>> are correct." >>> >>> If I click on that link, it takes me to my LDAP Settings page. Here is >>> my settings now: >>> >>> >>> >>> >>> On Tue, Aug 2, 2016 at 5:24 PM, Pete GS <[email protected]> wrote: >>> >>>> Glad to hear it! >>>> >>>> If your company uses AD for authentication, then using AD groups will >>>> make it nice and easy to automatically assign roles to users via AD group >>>> membership. >>>> >>>> The second part of my email was about that topic. >>>> >>>> Once LDAP is configured, navigate to the LDAP Group Mapping tab where >>>> you should see a list of all your AD groups. Simply use the pull down >>>> beside the appropriate groups to assign the Graylog role to the group. >>>> >>>> One point to note is make sure your users are members of only one >>>> Graylog related group. Some applications/systems don't work well when a >>>> user is mapped to multiple groups that it uses for authentication and this >>>> can cause unexpected results. I'm not sure if Graylog has issues with this >>>> or not but it's safer just to ensure each user is a member of one group >>>> only that's used for Graylog LDAP group mapping. >>>> >>>> Hope that answers your question. >>>> >>>> Cheers, Pete >>>> >>>> On Wednesday, 3 August 2016 08:57:24 UTC+10, Joshua Walderbach wrote: >>>>> >>>>> Ok I got it to work, I can log in as a domain user. However editing >>>>> my user to be Admin doesn't stick. I see it wants me to bind AD Groups to >>>>> Graylog Roles. Can you point me in the right direction there? >>>>> >>>>> On Tue, Aug 2, 2016 at 4:11 PM, Pete GS <[email protected]> wrote: >>>>> >>>>>> Hmmmm seems my updates to my fields didn't get saved for some reason. >>>>>> >>>>>> Simply substitute the distinguished name "dc=company,dc=corp" for >>>>>> "dc=lab,dc=melbourneit,dc=com". >>>>>> >>>>>> All else should stay the same. >>>>>> >>>>>> Cheers, Pete >>>>>> >>>>>> On Wednesday, 3 August 2016 06:08:11 UTC+10, Joshua Walderbach wrote: >>>>>>> >>>>>>> I need help getting the correct Search Base DN, User Search Pattern, >>>>>>> and Group Mapping variables in Graylog 2.x. I'm using Active Directory >>>>>>> and >>>>>>> after entering information into step 1., Test Server Connection is OK. >>>>>>> In >>>>>>> my domain, company.corp, there is a OU called Roles and in that a Group >>>>>>> called Graylog. I've assigned users to the Group. I've tried several >>>>>>> different combinations and unable to get anything to work when I run a >>>>>>> Login test. Fails to connect or find user. >>>>>>> >>>>>>> Would anyone be so kind to explain what I need to do here? AD is a >>>>>>> major weak spot for me. Working on that. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> <https://lh3.googleusercontent.com/-dtCxwuC6JA0/V6D9QFpfAWI/AAAAAAAAARo/KxXlH6cFqlIc6urPaQJXGeTtfhCuLPKvgCLcB/s1600/Screenshot%2Bfrom%2B2016-08-02%2B14-06-10.png> >>>>>>> >>>>>>> -- >>>>>> You received this message because you are subscribed to a topic in >>>>>> the Google Groups "Graylog Users" group. >>>>>> To unsubscribe from this topic, visit >>>>>> https://groups.google.com/d/topic/graylog2/5LG1b_2a5AU/unsubscribe. >>>>>> To unsubscribe from this group and all its topics, send an email to >>>>>> [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/graylog2/22fa0696-13fb-4e17-8470-52e00912ad78%40googlegroups.com >>>>>> <https://groups.google.com/d/msgid/graylog2/22fa0696-13fb-4e17-8470-52e00912ad78%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>>>> -- > You received this message because you are subscribed to a topic in the > Google Groups "Graylog Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/graylog2/5LG1b_2a5AU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/CADR58eQz%3DNeevcT4qm77qyeibN_ycAQ0VMtEV0sZRnpequee_Q%40mail.gmail.com > <https://groups.google.com/d/msgid/graylog2/CADR58eQz%3DNeevcT4qm77qyeibN_ycAQ0VMtEV0sZRnpequee_Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAHBu6YrGorzefXr8nnan4D_kQQOs%2BvDF%3DjHDxSrMob5J7D%2BJzQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
