libby2cm
commented
8 years ago I don't believe so. I have ours set to just hit the DC holding the PDC emulator role, but I am going to log a bug, as it appears the LDAP implementation in graylog is buggy. For example, nearly everytime you login, you have to login twice. The first attempt fails, then you try again, and it succeeds (not a PW issue). Also, on the Users screen, and click 'LDAP group mapping', it will say no groups found, but then if you refresh the page, the groups show up. It works fine for awhile, but if you come back about 5-10 minutes later, the same behavior happens. It appears graylog trys to maintain a persistent LDAP connection/session, that goes stale, then it tries to use it, and the operation fails. Probably just need some code tweaks to handle the LDAP connections a little cleaner.
Hi there
We use Active Directory, so I point our graylog-web LDAP config at "domain.ltd" as that resolves to a bunch of domain controllers via the DNS name resolving to all the domain controller IPs (standard AD feature). Provides effortless redundancy. The problem I'm seeing is that once in a while people get "access denied" on a login attempt into graylog-web. As their browser has pre-filled in cached credentials, this isn't a "bad password" problem - the login is failing erroneously
Anyway, my theory as for the root cause is that it looks like our AD server team wasn't keeping a tidy house and one of the old DCs had been decommissioned and yet still remained in the DNS record. So what could be happening is that every once in a while someone would attempt to log into graylog-web and it would hang (trying to connect to the dead DC) and would return "access denied"
So it sounds like graylog-web isn't handling DNS names resolving to multiple A records as well as it should? It should have some code to try one, and after (say) 5sec timeout, try another, and not actually give up until it gets an official LDAP connection telling it ok/fail. BTW, AD is also known to accept TCP connections on ports that it doesn't actually have services running on, hence my comment about looking for an "official LDAP connection" before making decisions...
Obviously in my case, after one of these "access denied" events, if we just try again, it invariably works - because it would then try a different/working IP address - but it's certainly inconsistent
BTW I just wrote a script to iterate through all our DCs with the same credentials and they all worked except for the dead one (obviously) - so I think that confirms my theory (ie I can't think of another way that duplicates the symptom)
Thanks!