search

graylog-labs / graylog2-web-interface

[DEPRECATED]
https://www.graylog.org/
611 stars 174 forks source link

LDAP Group Mapping #1695

Closed CalebTodd closed 8 years ago

CalebTodd commented 8 years ago

I am on version v1.2.2 (91c7822)

Two issues: 1) My LDAP Group Mappings are reverting to 'none'. It will stick for a short while, but reverts (within an hour or so).

I've read articles which indicate some possible fixes in 1.2.2 if I'm using certain characters. However, my AD group is 'graylogQA' which should map to the 'QA' role. So, no special characters here. Not sure what gives.

2) When I do get it to stick, I can test a user and it seems to show that it finds the correct role based on that user's AD group. However, when I log in with that user, it just assumes the default (reader) role. I've deleted & re-logged in multiple times with no change.

image

In the Server logs (setting org.graylog2.security.ldap.LdapConnector to TRACE), I see this:

2015-11-12_20:35:21.16434 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 2015-11-12_20:35:21.16434 at java.lang.Thread.run(Thread.java:745) 2015-11-12_20:36:18.70220 TRACE [LdapConnector] Connecting to LDAP server +DC-IP-Address+:389, binding with user +AD-Service account+ 2015-11-12_20:36:18.70658 TRACE [LdapConnector] Search ActiveDirectory for (&(objectClass=user)(sAMAccountName=caleb.qa)), starting at +Base-DN+ 2015-11-12_20:36:18.70870 TRACE [LdapConnector] Looking up group +CN of AD group+ 2015-11-12_20:36:18.70981 TRACE [LdapConnector] Resolved +CN of AD group+ to group cn: QA 2015-11-12_20:36:18.70986 TRACE [LdapConnector] Re-binding with DN +CN of test user account+ using password 2015-11-12_20:36:18.71131 TRACE [LdapConnector] Binding DN +CN of test user account+ did not throw, connection authenticated: true 2015-11-12_20:38:45.84154 INFO [AbstractValidatingSessionManager] Validating all active sessions... 2015-11-12_20:38:45.87812 INFO [AbstractValidatingSessionManager] Finished session validation. No sessions were stopped.

This log makes me think things are working. But I'm stuck between it not giving correct permissions when the LDAP Group Mappings are there and it just reverting to all together. Thoughts are appreciated.

kroepke commented 8 years ago

Hi!

I believe this could be the same problem as described in https://github.com/Graylog2/graylog2-server/issues/1513, in which case we are already looking to fix it in our next release 1.3.

bernd commented 8 years ago

This should be fixed in the upcoming Graylog 1.3 release. Please re-open this if you still have an issue with 1.3. Thank you!