Server configuration
Go to http://<graylog_server>/system/authentication/config/legacy-ldap
Tick "Enable LDAP" duh!
Set the server type - in my case it's Active Directory
Server address ldap:// <IP address or FQDN of your domain controller> : 389
If you are using this externally, you really should be using ldaps to ensure that your authentication between the graylog server and the DC is encrypted... in fact it's best practice to do this as standard
System username: This is the full URL for a user who has permissions to browse the AD. In my case I create a service account user just for this purpose. They don't have any other access and don;t forget to set the account and password to never expire.
CN=LDAP-Authentication-Only,OU=Service-Accounts,OU=Users,DC=uk,DC=company,DC=local
Don't know what the full URL is? Just install Softera LDAP Browser and look at the properties for your user and you can extract the URL.
System password: <The service account password>
Test Server connection.. go on... get a green message before proceeding!
User mapping
Search Base DN: You don't want to search the whole AD, so this allows you to specify the folder that you want to search below. Usually this is your Users OU - again use Softera to find the full URL
OU=Users,DC=uk,DC=company,DC=local
User search pattern: This is used to make sure you only have user objects and search for the samAccount name - basically it means you can log in with your short username e.g. jsmith rather than your full email address. Just use the setting they tell you:
(&(objectClass=user)(sAMAccountName={0}))
Display Name Attribute: How you want your user to appear, I just used displayName, but you could use cn if you wanted "Firstname Lastname"
At this stage, you can now go to step 5 and do a login test... hopefully it should all go well, and you can save your changes and anyone in the AD can log on!
If it fails, make sure you are not using a username that is already in the graylog user database... this caught me out and I had to delete the local user before it would work.
Group Mapping
The first time you log in with an AD accoint you will notice that you don't have a search option, this is because Graylog have decided that they want regular users to use streams.
If you want AD users to be admins (and have search capabilities) you need to set up Group Mappings.
First thing to do is set up a couple of Security Groups in AD. I chose to call them "Graylog Users" and "Graylog Admins"
Group Search Base is very similar to the Search Base DN you just set up.. but in this case point it to the OU that has all your groups below it.
OU=Groups,DC=uk,DC=company,DC=local
Group Search Pattern should be set up to tell Graylog to search for groups with a particular string, in my case I used:
(&(objectClass=group)(cn=Graylog*))
Note that this is CaSe SeNsItIve
Group Name Attribute should be cn
Default User Role defines what permissions everyone is created with when they log on for the first time. I left mine at Reader - basic access as I don't want everyone able to break my system.
You should no save your changes.
Now it's time to map your Active Directory groups to Graylog roles by going to http://<graylog_server>/system/ldap/groups
Just pick your AD groups and assign the permissions you want for members of that group.
Congratulations you have set it up..now log on with your AD/LDAP user and start playing :)
