Hi, Dmitry. Could you please provide a little more details about your intended setup? By default, Gluu CE already uses authentication against either its internal LDAP directory, or some LDAP-speaking backend. What exactly are you planning to do? Regards, Alex.

Hi Alex, this is my case: * Gluu CE with its internal LDAP, I have set it according to the guide https://www.gluu.org/docs/admin-guide/deployment/ubuntu. * I'd like to setup LDAP authenification in Graylog using Gluu's internal LDAP. * I need some configuration parameters like system user/passwd, search base, user search pattern, see screenshot above Regards, Dmitry

Just keep in mind that the firewall rules on your server would have to allow inbound 1636 (for ldaps). Also, the best practice is to add a user in LDAP for this application, and to add ACI's to allow this user to perform search operations (to find the DN of the entry to BIND). Check OpenDJ documentation for the latter. Of course the application will also have to know about the LDAP namespace (DIT) and schema too. We generally discourage LDAP as the application interface. It encourages a tight bundling of the application with the LDAP layer. And of course there is no SSO, and your limited to passwords.

I'm totally with you. Unfortunately Graylog doesn't support OpenId, I can choose only between internal accounts and ldap accounts > We generally discourage LDAP as the application interface. It encourages a tight bundling of the application with the LDAP layer. I'll try to create a new ldap user for the application, but how to connect to the internal ldap (localhost:1636)? where I can get the credentials? is there any default password for `cn=directory manager` ? or maybe I can find the password in config files? Thanks, Dmitry

Hi, Dmitry. Ok, now I see your situation is somewhat unusual. 1. By default, Gluu's OpenDJ LDAP directory server does not filter in any way clients' connections to it. The only obstacle you may encounter is, as Mike has already noted, different firewalls software, both local to the Gluu's host (iptables), and installed on some other intermediate devices present on your network. Any sort of NAT devices will also increase complexity of the final setup. In a nutshell, you need to ensure that incoming TCP connections to ports 1389/1636 (these are ports on which OpenDJ is listening by default) can reach host where your Gluu instance is located. 2. For bind DN ```"cn=directory manager"``` can endeed be used. Its password is equal to the password of the default admin account right after installation is completed (it's either chosen by you, or auto-generated during setup). You also can view it by running ```# grep -i -e 'ldappass=' /install/community-edition-setup/setup.properties.last``` 3. For base DN you should choose ```"ou=people,o=@!YOUR_ORG_INUM,o=gluu"```; ```"YOUR_ORG_INUM"``` part you can learn by running ldap search against internal directory with a filter clause like ```('ou=people')``` 4. For user search pattern you should use something like ```(&(objectclass=gluuperson)(uid={0}))```

You also should listen to Mike's recommendations on OpenDJ's setup.

Hi Michael, Aliaksandr, thank you for your help! I found the password for `cn=directory manager`, connect to gluu's internal ldap, and create a "bind" user for Graylog as Mike suggested By default OpenDJ allows to read objects to any user, so I didn't set any acl. it works fine now, I was able to logon to Graylog using my Gluu username and password. Thank you again Regards, Dmitry

Great, glad to hear it worked. I'm closing this ticket then. Feel free to open another one if you'll need further assistance.

Hi, I would like to find out whether a similar solution as described here is possible with the community edition 3.0.1. Thank you.

Hi, Abdulrazaq. CE 3.0 uses OpenLDAP now, but as it's still a LDAP directory, general idea described here still holds. You should create a new ticket if you need further details.