- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Re: LDAP authentication to multiple domains
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP authentication to multiple domains
I have two LDAP strategies defined, one to domain1 and one to domain2. In both domains I have a user named "SplunkAdmin". Both ldap strategies have roles mapped to the groups that contain the SplunkAdmin user for each domain. However, in the "users" list, I only see one entry for "SplunkAdmin". How do I allow both users to access Splunk? (I have tried specifying the domain in the username box, i.e. domain1\splunkadmin or splunkadmin@domain1 as the username, but this approach does not seem to work.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way to do this would be to have distinct users in distinct domains. I don't see how you would expect to see two different users when there is nothing to distinguish the name. The login (and user list) will match the first instance it finds according to the ordering of the domain strategies.
You could do what I have had to do recently, use a domain-specific attribute for the user name, and use logins SlunkAdmin@domain.one and SplunkAdmin@domain.two. Of course this depends entirely on how you have your LDAP configured on the domain controller side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: using an alternate domain-specific attribute for the user name: This would require significant effort on the AD side to ensure that unique attributes exists for each user in question. It may be our only option, though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In an AD environment you can specify a domain to attempt to log in to by entering the username in the format "DOMAIN\ussername" or "username@DOMAIN". I was hoping that Splunk could be configured to accept the same format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working with Splunk support, it appears that there is no way to specify the domain when logging in. Instead, you must find an alternate 'user' attribute to match on, and the attributes must be unique between the two domains.
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
Detecting Remote Code Executions With the Splunk Threat Research Team
