# graylog-groups configuration example / documentation # ===================================================== # LDAP server configuration # -------------------------- ldap: # The LDAP server's host name or IP address. REQUIRED. host: ldap.example.org # Port number - usually 389 for clear/starttls or 636 for TLS. Defaults to # 389. port: 636 # TLS mode. This must be either "yes" for the non-standard, pure TLS mode, # "starttls" for TLS over a clear connection, or "no" to use a clear # connection. Defaults to "no". tls: yes # CA certificate chain. Can be omitted if the systems' trusted CAs must be # used, or if no TLS is being used. cachain: /path/to/ca/chain.pem # LDAP user (as a DN) and password to bind with. Both fields may be omitted # if anonymous binding is to be used. bind_user: cn=graylog,ou=automation,dc=example,dc=org bind_password: drowssap # LDAP attributes which may contain either the UIDs or the DNs of the groups' # members. If the fields contain the DN, the first element will be extracted # and used as the username. REQUIRED. member_fields: - member - uniqueMember - memberUid # Graylog server info # -------------------- graylog: # API base URL. REQUIRED. api_base: https://graylog.example.org/api # Username and password to use to authenticate to the API. REQUIRED username: admin password: drowssap # Should accounts be deleted when they no longer have any privileges? Warning, # this option is rather dangerous. Can be omitted, defaults to false. delete_accounts: false # Group -> privileges mappings # ----------------------------- mapping: # Each entry in this table must use a LDAP group name as its key. cn=g1,ou=groups,dc=example,dc=org: # List of Graylog roles that users in this group should have. The names # must match the ones in the Graylog administration section. roles: - Reader # Privileges on various Graylog objects. This is a list of records. privileges: # Each privilege record includes a type of object (either "dashboard" or # "stream"), an identifier (which is generated by Graylog, and must be # extracted from the pages' URLs or from the API) and a level, which may # be either "read" or "write", the latter implying the former. Should an # user be a member of groups that grant both privilege levels, the highest # level will be kept. - type: dashboard id: 12345 level: read - type: stream id: 12345 level: read cn=g2,ou=groups,dc=example,dc=org: roles: - Event Definition Creator - Event Notification Creator privileges: - type: dashboard id: 12345 level: write