Jason, I’ve just found this in the LDAP library we use: https://issues.apache.org/jira/browse/DIRAPI-196 <https://issues.apache.org/jira/browse/DIRAPI-196> According to the code change this is simply a warning that gets logged as an error, but it does not stop processing the entry.
I’ve uploaded an improved version to https://s3-eu-west-1.amazonaws.com/pre-release-snapshots/graylog-1.2.0-rc.5-SNAPSHOT-20150909154719.tar.gz <https://s3-eu-west-1.amazonaws.com/pre-release-snapshots/graylog-1.2.0-rc.5-SNAPSHOT-20150909154719.tar.gz> It is compatible with the RC.4 web interface, but won’t work with any version before that due to API changes in the LDAP config. This changes the following: - only request object attributes that are really necessary for both users and groups (the login test will still request all of them for the user) this should get rid of the blobs you are seeing and improve RTT for LDAP requests - for AD group membership is tested via memberOf queries and those groups are being looked up via their DN instead of browsing - generic LDAP support still falls back to iterating all groups according to group search base with group search filter in subtree scope - for setting up the group -> role mapping we still request all groups like described above. To answer some of the questions I really need to see the entire log output during login tests, actual logins and logins which fail. If you cannot share them publicly, please feel free to send me an email at k...@graylog.com <mailto:k...@graylog.com> Cheers, Kay > On 10 Sep 2015, at 03:28, Jason Haar <jason_h...@trimble.com> wrote: > > I've also just reconfigured to point to one domain instead of the GC > forest (ie ActiveDirectory port 389) and reconfigured accordingly. Made > no difference - it still can create new accounts on first login attempt, > but the user still sees "credentials are invalid" and the backend still > can't get any group information - with the filter set to > "(objectClass=group)". As before, removing the filter entirely allows > the user to log in - but they can't do anything as you need the LDAP > groups to have come through and they haven't. The logs still report the > error > > "ERR_04486_VALUE_ALREADY_EXISTS The value '20150319215008.0Z' already > exists in the attribute (dSCorePropagationData)" > > ...so that might be the problem > > -- > Cheers > > Jason Haar > Corporate Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/55F0DCD9.6050308%40trimble.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/4453BE76-8367-4BD7-831E-6C47348AE09E%40gmail.com. For more options, visit https://groups.google.com/d/optout.
