graylog-groups =============== A program that controls Graylog roles and privileges over objects using LDAP groups. **Note** My apologies, this is my first actual program in Go, so it must be a terrible example of worst practices. Sorry. Why? ----- The community edition of [Graylog](https://graylog.org) had the ability to use LDAP group in order to control user access to the various objects (streams and dashboards). In a somewhat ethically questionable move this capability was removed in version 4.0 and replaced with an enterprise-only feature called teams. This program is meant to emulate the pre-4.0 LDAP group functionality. How? ----- This program is meant to be executed on a regular basis through e.g. `cron`. It will read its configuration file, and from there : * get the list of users on the Graylog side, * read the list of members for all LDAP groups that have a mapping defined in the configuration file, * compute the roles and object privileges to grant for each Graylog user, * optionally delete users that no longer have any privileges according to the mapping and LDAP group membership, * set the users' permissions on the various Graylog objects, * add or remove Graylog roles from user accounts. Installing ----------- - Download and build the program : ``` git clone https://github.com/tseeker/graylog-groups cd graylog-groups go build ``` - Copy the resulting binary to whatever box will run it. - Create a configuration file based in the example from `graylog-groups.yml.example`. - Set up a cron job or whatever it is you use to schedule tasks to run the synchronization binary on a regular basis. To Do ------ * Proper logging, work in progress: * Add logs to the privilege computations and related API calls. * Sending logs to... well, Graylog... through CLI switches. * Writing logs to a file. * Document command line flags. * Cache LDAP username lookups * Add TLS options (skip checks / specify CA) for the Graylog API. * Read object ownership using `grn_permissions` to preserve privileges on users' own objects * Support granting ownership on objects * Use goroutines ? Maybe.