Just wanted to say thanks for this solution, helped me a lot as I wanted to 
do the same. Have ldap on, deny access by default and only grant users form 
specific security groups access. This needs to be added as a feature 
request.

Cheers Frank!

Björn

On Friday, January 22, 2016 at 9:05:29 PM UTC+1, Frank wrote:
>
> Never mind, figured it out.
>
> Just changed the user search pattern to check for group membership
>
>
> (&(objectClass=user)(sAMAccountName={0})(|(memberof=CN=Graylog-Reader,OU=Groups,DC=yourdomain,DC=yourdomain)(memberof=CN=Graylog-Admin,OU=Groups,DC=yourdomain,DC=yourdomain)))
>
> Now if the user isn't a member of one of those groups, they can't login to 
> graylog.
>
>
>
> On Friday, January 22, 2016 at 11:48:44 AM UTC-8, Frank wrote:
>>
>> I have ldap and group mappings all configured and working, but I would 
>> like to restrict users that aren't in one of the group mappings to 
>> basically have no access.
>>
>> Is there any way to do this?
>>
>> I don't want to have to move user's AD accounts into a specifc Graylog OU 
>> because we already have a hierarchy in place that I don't want to mess 
>> with, I would just like an option in the LDAP configuration to change the 
>> default role to NONE or no access or something.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/51d85efb-7f92-4082-baaf-826af138c58f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to