Just wanted to say thanks for this solution, helped me a lot as I wanted to
do the same. Have ldap on, deny access by default and only grant users form
specific security groups access. This needs to be added as a feature
request.
Cheers Frank!
Björn
On Friday, January 22, 2016 at 9:05:29 PM UTC+1, Frank wrote:
>
> Never mind, figured it out.
>
> Just changed the user search pattern to check for group membership
>
>
> (&(objectClass=user)(sAMAccountName={0})(|(memberof=CN=Graylog-Reader,OU=Groups,DC=yourdomain,DC=yourdomain)(memberof=CN=Graylog-Admin,OU=Groups,DC=yourdomain,DC=yourdomain)))
>
> Now if the user isn't a member of one of those groups, they can't login to
> graylog.
>
>
>
> On Friday, January 22, 2016 at 11:48:44 AM UTC-8, Frank wrote:
>>
>> I have ldap and group mappings all configured and working, but I would
>> like to restrict users that aren't in one of the group mappings to
>> basically have no access.
>>
>> Is there any way to do this?
>>
>> I don't want to have to move user's AD accounts into a specifc Graylog OU
>> because we already have a hierarchy in place that I don't want to mess
>> with, I would just like an option in the LDAP configuration to change the
>> default role to NONE or no access or something.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/51d85efb-7f92-4082-baaf-826af138c58f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.