-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Role assignment not working (depending on name?) #1453
Comments
Hi, The attached stacktrace doesn't help much to figure out the problem, could you please turn the log level of That logs all kinds of details about searches performed and the entities returned, and may help you to figure out the problem. In case you need some help with it, please send the log output to support@graylog.com if you can't share it publicly. |
Hi, we are facing the same issue here. I just sent you a trace via email. The error seem to come from a group that belong to a trust from another forest we have. I think you should ignore group that are outside of our base dn. |
Along with the trace, also a warning is shown:
Just like @bonzi316, the user in case also has groups that belong to another domain. Because of that, the group lookup returns null, which causes a nullpointer exception (see https://github.com/Graylog2/graylog2-server/blob/master/graylog2-server/src/main/java/org/graylog2/security/ldap/LdapConnector.java#L168) So I agree with @bonzi316 that filtering out groups is a good idea, or at least, check if null was returned for the group lookup. |
Hi, any idea when this fix will be release ? Since it affect role mapping for users it's a blocker for us. Thanks |
The group lookup can fail if the group belongs to a different domain and the connection user is not allowed to lookup details. Log a message to DEBUG if the lookup failed to make this debuggable. Fixes #1453
Confirmed the problem is solved with 1.2.2. |
@Ikke Thanks for the feedback! 😃 |
We're trying to setup LDAP group mappings and notice that in some cases it's not working properly (ie, the user is not assigned the proper group, does not see the streams assigned to that group).
Preliminary testing shows it might depend on the group name:
We tried several times renaming the group and assigning a role to that group and verify if that user would see the stream assigned to that role.
The group query we used is:
(&(objectClass=group)(cn=NLD-W*))
They graylog server log shows this:
The text was updated successfully, but these errors were encountered: