Graylog administrator should be able to register and configure Graylog users who are registered in Active Directory

[eduault]

Expected Behavior

Graylog administrator should be able to register and configure Graylog users who are authenticating using Active Directory credentials, both in the Web interface, and using the REST API, before the user authenticates for the first time. Therefore, it should be possible to register a user without a password if this user is authenticating using Active Directory. Because there in no password in a user's JSON if this user has been registered after an authentication using Active Directory. It would also be useful to register in the user's JSON that this user is authenticating using Active Directory.

Current Behavior

The password is mandatory when the administrator tries to register a new user in the Web interface (Authentication > Users > Add new user), or using POST /users in the REST API Browser. The only way to register and configure a user who is authenticating using Active Directory is using this procedure:

1. The user authenticates in the Web interface using his Active Directory credentials. At that moment, his account is not configured. For example, he has no additional role if the roles are managed by Graylog administrator (i. e. not using LDAP groups).
2. The administrator edits this user in the Authentication > Users page, and configures his account
3. The user reloads the Graylog page to access the resources

Possible Solution

Steps to Reproduce (for bugs)

1. The administrator configures an Active Directory authentication
2. The administrator tries to configure a user without a password

Context

Your Environment

• Graylog Version: 2.4.6+ceaa7e4, codename Wildwuchs
• JVM: Oracle Corporation 1.8.0_172 on Linux 3.13.0-153-generic
• Elasticsearch Version: Version: 5.6.3 (provided with Graylog AMI)
• MongoDB Version: v3.4.9 (provided with Graylog AMI)
• Operating System: Ubuntu on AWS (Linux graylog 3.13.0-153-generic #203-Ubuntu SMP Thu Jun 14 08:52:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux)
• Browser version: Firefox, on a Windows PC in a business environment (proxy + firewall + security tools ...)

[jalogisch]

your request makes currently only little sense from our point of view, you might want to give some context.

Why would you have a central user managment (and having the ability in Graylog to work with group mappings to roles) and in addition you want to have the ability to assign roles in the product. That would be - in our eyes - not logical and you might want to give us some backround information why this make sense.

[eduault]

A as Graylog administrator, I would like to be able to register and configure some users in Graylog using Graylog "Authentication Management" screen, and allow those users to authenticate using their passwords registered in Active Directory. We are not using LDAP groups mapping, only manual registration of users in Graylog. Active Directory is used only for the user authentication (the passwords are managed by Active Directory).

[eduault]

In MongoDB, the users passwords are set to : "User synced from LDAP".

[DerPhlipsi]

Heyo @jalogisch,

a little input from my side on this:

in addition you want to have the ability to assign roles in the product.

I kinda get what he wants. I'm having a similar issue at a friends company that I'm helping out on. The AD-groups in that company are managed by a seperate dept. and they basically refuse to add any groups that are not managed or "thought of" by them or their strategy. And if you have any luck in forcing them to do it by going up the chain, they'll take their sweet time adding the groups. That's basically a usecase where you would need to preassign roles in Graylog onto users, since the AD-integration only maps one role to one user. If you do not have multiple groups in you AD to map to, you're out of luck.

Greetings, Philipp

[florianpopp]

This refers to https://github.com/Graylog2/graylog2-server/issues/3968