Open eduault opened 6 years ago
your request makes currently only little sense from our point of view, you might want to give some context.
Why would you have a central user managment (and having the ability in Graylog to work with group mappings to roles) and in addition you want to have the ability to assign roles in the product. That would be - in our eyes - not logical and you might want to give us some backround information why this make sense.
A as Graylog administrator, I would like to be able to register and configure some users in Graylog using Graylog "Authentication Management" screen, and allow those users to authenticate using their passwords registered in Active Directory. We are not using LDAP groups mapping, only manual registration of users in Graylog. Active Directory is used only for the user authentication (the passwords are managed by Active Directory).
In MongoDB, the users passwords are set to : "User synced from LDAP".
Heyo @jalogisch,
a little input from my side on this:
in addition you want to have the ability to assign roles in the product.
I kinda get what he wants. I'm having a similar issue at a friends company that I'm helping out on. The AD-groups in that company are managed by a seperate dept. and they basically refuse to add any groups that are not managed or "thought of" by them or their strategy. And if you have any luck in forcing them to do it by going up the chain, they'll take their sweet time adding the groups. That's basically a usecase where you would need to preassign roles in Graylog onto users, since the AD-integration only maps one role to one user. If you do not have multiple groups in you AD to map to, you're out of luck.
Greetings, Philipp
This refers to https://github.com/Graylog2/graylog2-server/issues/3968
Expected Behavior
Graylog administrator should be able to register and configure Graylog users who are authenticating using Active Directory credentials, both in the Web interface, and using the REST API, before the user authenticates for the first time. Therefore, it should be possible to register a user without a password if this user is authenticating using Active Directory. Because there in no password in a user's JSON if this user has been registered after an authentication using Active Directory. It would also be useful to register in the user's JSON that this user is authenticating using Active Directory.
Current Behavior
The password is mandatory when the administrator tries to register a new user in the Web interface (Authentication > Users > Add new user), or using POST /users in the REST API Browser. The only way to register and configure a user who is authenticating using Active Directory is using this procedure:
Possible Solution
Steps to Reproduce (for bugs)
Context
Your Environment