Graylog2-server: Support for AD nested groups

Created on 21 Sep 2015 · 27Comments · Source: Graylog2/graylog2-server

It would be great if Graylog could support so-called nested groups in AD.
The easiest way to do this would be to have the group member attribute configurable. You can then use a special object ID as described in https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx.

Some information on how this is handled in some other tool (Nexus): https://support.sonatype.com/entries/31005457-How-to-Configure-Nexus-to-use-Active-Directory-Nested-Groups

feature ldap triaged

Source

andham

👍31

Most helpful comment

:+1:
For us it's a show stopper, we rely on nested groups from Active Directory because if a new one joins the company, it's easy to add him to a few groups and there are the direct permission groups for all the applications. Would be awesome if it's possible to add this to Graylog 2.0 :)

nixcorn on 30 Mar 2016

👍8

All 27 comments

Also looking for this. With the current implementation src/main/java/org/graylog2/security/ldap/LdapConnector.java needs to do a query for each group to see if those are a member of some other group (member:1.2.840.113556.1.4.1941:=CN=)

alpar-t on 28 Sep 2015

"member:1.2.840.113556.1.4.1941:=CN=" is good for authentication but it would be great if group mapping support nested groups

matthgyver on 9 Feb 2016

nixcorn on 30 Mar 2016

👍8

Yup, this is a big issue for our setup too. We separate our group into access groups which have one-to-one relationships with specific permissions and services and role groups, which contain users and are members of different access groups.

In fact I'm surprised this issue hasn't gotten more attention! It's been open for a year.

arnefm on 14 Sep 2016

Ditto. We've just started getting complaints of people not having the correct access and ended up tracking it back to a nested groups issue

jhaar on 28 Nov 2016

We are also in dire need for this functionality.

simonpie on 1 May 2017

+1 for this feature since we have to use our organizational groups instead of the permission groups defined in Active Directory, so we have change the permissions twice if anything is to be changed.

CoolDuke on 17 May 2017

👍2

Hi, is there any news about this feature ?

Dainii on 8 Nov 2017

We would really need this.
Hope it is comming soon :)

Wicht78 on 15 Dec 2017

@jalogisch is it possible to "donate" this feature? Via BountySource or similar?

shakalandy on 5 Mar 2018

@shakalandy Please contact our sales team at https://graylog.org/contact-sales or via [email protected] for finding out how this aligns with our general business strategy.

joschi on 13 Mar 2018

Any news on this feature? I assume it's not being considered for the v3 release?

samoz83 on 28 Jun 2018

I'm also very interested on this. It would be a very useful feature.

ivazqueza on 10 Sep 2018

lukaszpatyra on 24 Sep 2018

matthiasdoering on 19 Oct 2018

nhanct on 6 Nov 2018

Not sure if this helps but the query needed here is (member:1.2.840.113556.1.4.1941:={distinguishedname})

Where {distinguishedname} is the dn of the user being looked up.

It looks like https://github.com/Graylog2/graylog2-server/blob/20ab7325eb82ec09c08ece0433e183412f32a05d/graylog2-server/src/main/java/org/graylog2/security/ldap/LdapConnector.java#L200 is a good place to start. I'm not 100% sure how to get the stack working currently to test this fix though

exussum12 on 19 Nov 2018

This has been open for three years.. are you planning to implement this at all? I'd love to see this feature as well.

OmniTroid on 3 Jan 2019

👍3

Is this related to the fact that I cannot map any groups from this cn=groups,dc=subdomain,dc=domain,dc=tld ? (nothing show up in LDAP group mapping)

pirona on 1 Apr 2019

@pirona likely not - or did you have groups in groups in that?

jalogisch on 1 Apr 2019

@pirona likely not - or did you have groups in groups in that?

No, no sublevels in this folder. Sorry for the topic mismatch then.

pirona on 1 Apr 2019

Hi,
any updates on this ? It is a common usage pattern in the Active Directory context to use nested groups.

mungo312 on 24 Oct 2019

👍1

It seems that this issue is not longer exist? Actually we tested it with nested groups from a Active Directory and it seems to work fine without any occurrence of error messages in the log. Also the relation for the groups have been set accordingly.

Workaround/Solution

Use a major group where the other groups are nested in your Active Directory. Then use a "User Search Pattern" with memberOf-Function.

Steps to Reproduce

Create major group
Set group inheritage for the inherit groups
Use following User Query for Example:
(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberof:1.2.840.113556.1.4.1941:=cn=major_group,cn=Users,ou=Group-Unit,ou=nextunit,ou=anotherunit,dc=ex,dc=sample,dc=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Tested Environment

Graylog Version: 3.1.4+1149fe1, codename Quantum Dog
Elasticsearch Version: 6.8.6
MongoDB Version: v4.3.0-707-g284630e-patch-5d3f10cc850e612543561a3a
Operating System:
NAME="Red Hat Enterprise Linux"
VERSION="8.1 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.1"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.1 (Ootpa)"
Browser version: Firefox Quantum 68.4.1esr (64-Bit)

@bernd @jalogisch could this be the solution or workaround for that issue? Can you may please add some explanation from the code perspective to this?

A possible Attribute Option in the product would be still good and could still be a valid feature request. At least it would make things easier for some people.

xtruthx on 5 Feb 2020

🚀1 👍1

@xtruthx I've tried what you suggest with following setup on Graylog 3.2.2, but it does not seem to work. Do you see anything I could have missed?

My AD structure:
Graylog_Major_Group (DN used in the user query)

Graylog_Admin
- Graylog_AdminNested

For user in Graylog_Admin group, the login works as expected. Logging in with user from Graylog_AdminNested fails with error:

2020-03-19 12:39:25,113 ERROR: org.graylog2.security.realm.LdapUserAuthenticator - Error during LDAP user account sync. Cannot log in user testuser,
java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor.,
    at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:89) ~[graylog.jar:?],
    at org.graylog2.security.ldap.LdapConnector.search(LdapConnector.java:142) ~[graylog.jar:?],
    at org.graylog2.security.realm.LdapUserAuthenticator.searchLdapUser(LdapUserAuthenticator.java:160) ~[graylog.jar:?],
    at org.graylog2.security.realm.LdapUserAuthenticator.doGetAuthenticationInfo(LdapUserAuthenticator.java:110) [graylog.jar:?],
    at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) [graylog.jar:?],
    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219) [graylog.jar:?],
    at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269) [graylog.jar:?],
    at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) [graylog.jar:?],
    at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) [graylog.jar:?],
    at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:274) [graylog.jar:?],
    at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) [graylog.jar:?],
    at org.graylog2.shared.security.SessionCreator.create(SessionCreator.java:77) [graylog.jar:?],
    at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:129) [graylog.jar:?],
    at sun.reflect.GeneratedMethodAccessor1060.invoke(Unknown Source) ~[?:?],
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_242],
    at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_242],
    at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?],
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?],
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?],
    at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?],
    at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?],
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?],
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?],
    at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?],
    at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?],
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?],
    at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?],
    at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?],
    at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?],
    at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?],
    at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?],
    at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?],
    at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?],
    at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?],
    at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?],
    at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?],
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242],
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242],
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242],
Caused by: org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException,
    at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:174) ~[graylog.jar:?],
    at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:52) ~[graylog.jar:?],
    at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:82) ~[graylog.jar:?],
    ... 38 more,

rsirny on 19 Mar 2020

@xtruthx I've tried what you suggest with following setup on Graylog 3.2.2, but it does not seem to work. Do you see anything I could have missed?

My AD structure:
Graylog_Major_Group (DN used in the user query)

* Graylog_Admin

  * Graylog_AdminNested

For user in Graylog_Admin group, the login works as expected. Logging in with user from Graylog_AdminNested fails with error:

2020-03-19 12:39:25,113 ERROR: org.graylog2.security.realm.LdapUserAuthenticator - Error during LDAP user account sync. Cannot log in user testuser,
java.lang.RuntimeException: ERR_02002_FAILURE_ON_UNDERLYING_CURSOR Failure on underlying Cursor.,
  at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:89) ~[graylog.jar:?],
  at org.graylog2.security.ldap.LdapConnector.search(LdapConnector.java:142) ~[graylog.jar:?],
  at org.graylog2.security.realm.LdapUserAuthenticator.searchLdapUser(LdapUserAuthenticator.java:160) ~[graylog.jar:?],
  at org.graylog2.security.realm.LdapUserAuthenticator.doGetAuthenticationInfo(LdapUserAuthenticator.java:110) [graylog.jar:?],
  at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571) [graylog.jar:?],
  at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219) [graylog.jar:?],
  at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269) [graylog.jar:?],
  at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) [graylog.jar:?],
  at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) [graylog.jar:?],
  at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:274) [graylog.jar:?],
  at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260) [graylog.jar:?],
  at org.graylog2.shared.security.SessionCreator.create(SessionCreator.java:77) [graylog.jar:?],
  at org.graylog2.rest.resources.system.SessionsResource.newSession(SessionsResource.java:129) [graylog.jar:?],
  at sun.reflect.GeneratedMethodAccessor1060.invoke(Unknown Source) ~[?:?],
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_242],
  at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_242],
  at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) [graylog.jar:?],
  at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) [graylog.jar:?],
  at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) [graylog.jar:?],
  at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:205) [graylog.jar:?],
  at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) [graylog.jar:?],
  at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) [graylog.jar:?],
  at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) [graylog.jar:?],
  at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) [graylog.jar:?],
  at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) [graylog.jar:?],
  at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) [graylog.jar:?],
  at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) [graylog.jar:?],
  at org.glassfish.jersey.internal.Errors.process(Errors.java:315) [graylog.jar:?],
  at org.glassfish.jersey.internal.Errors.process(Errors.java:297) [graylog.jar:?],
  at org.glassfish.jersey.internal.Errors.process(Errors.java:267) [graylog.jar:?],
  at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) [graylog.jar:?],
  at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) [graylog.jar:?],
  at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) [graylog.jar:?],
  at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:384) [graylog.jar:?],
  at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:224) [graylog.jar:?],
  at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:181) [graylog.jar:?],
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242],
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242],
  at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242],
Caused by: org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException,
  at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:174) ~[graylog.jar:?],
  at org.apache.directory.ldap.client.api.EntryCursorImpl.get(EntryCursorImpl.java:52) ~[graylog.jar:?],
  at org.apache.directory.api.ldap.model.cursor.CursorIterator.next(CursorIterator.java:82) ~[graylog.jar:?],�
  ... 38 more,

Without your settings in Graylog in special without your search queries i can not give you a valid answer.

xtruthx on 21 Apr 2020

For us the actual problem is not to limit the users to the members of one group. We need to use the group mapping feature to map members of nested groups to roles in graylog. The before mentioned LDAP filter is no help at all for our usage scenario.
The Issue is open since 2015 and there was no real effort invested from the Graylog Team, as far as I can see. Is this a supported feature in enterprise edition ? Can we speed up the process by getting enterprise and then open an issue ?

mungo312 on 11 Aug 2020

👍2

For us the actual problem is not to limit the users to the members of one group. We need to use the group mapping feature to map members of nested groups to roles in graylog. The before mentioned LDAP filter is no help at all for our usage scenario.
The Issue is open since 2015 and there was no real effort invested from the Graylog Team, as far as I can see. Is this a supported feature in enterprise edition ? Can we speed up the process by getting enterprise and then open an issue ?

I managed to make it work actually.

i've created the following structure:

graylog-base
- level1-group
  
  -level2-group

With this setup and using filters:

Users:
(&(objectCategory=person)(objectClass=user)(sAMAccountName={0})(memberof:1.2.840.113556.1.4.1941:=cn=graylog-base,ou=your_ou,dc=your_dc,DC=blabla)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Groups:
(&(objectClass=group)(memberof:1.2.840.113556.1.4.1941:=cn=graylog-base,ou=your_ou,dc=your_dc,DC=blabla)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Results:
User in level1-group can login
user in level2-group can login
Both groups are mapped into graylog

Hope that helps!