Just wanted to say thanks for this solution, helped me a lot as I wanted to
do the same. Have ldap on, deny access by default and only grant users form
specific security groups access. This needs to be added as a feature
request.
Cheers Frank!
Björn
On Friday, January 22, 2016 at 9:05:29 PM UTC+1, Frank wrote:
>
> Never mind, figured it out.
>
> Just changed the user search pattern to check for group membership
>
>
> (&(objectClass=user)(sAMAccountName={0})(|(memberof=CN=Graylog-Reader,OU=Groups,DC=yourdomain,DC=yourdomain)(memberof=CN=Graylog-Admin,OU=Groups,DC=yourdomain,DC=yourdomain)))
>
> Now if the user isn't a member of one of those groups, they can't login to
> graylog.
>
>
>
> On Friday, January 22, 2016 at 11:48:44 AM UTC-8, Frank wrote:
>>
>> I have ldap and group mappings all configured and working, but I would
>> like to restrict users that aren't in one of the group mappings to
>> basically have no access.
>>
>> Is there any way to do this?
>>
>> I don't want to have to move user's AD accounts into a specifc Graylog OU
>> because we already have a hierarchy in place that I don't want to mess
>> with, I would just like an option in the LDAP configuration to change the
>> default role to NONE or no access or something.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/51d85efb-7f92-4082-baaf-826af138c58f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
