This post will only help Windows/splunk/AD/LDAP people.
I am posting this with the hope it will save someone the pain I just went through.
first of all some of the examples work, some do not.
if the bind works splunkd will not have and error. If it does not, splunkd.log will have errors. bind username as to be domain username for domain that has LDAP/AD connection.
use ADEDIT to get LDAP info.
first thing that is NOT mentioned anywhere that I was able to find in splunk answers
the bind username has to be added to the builtin Windows Authorization Access Group
This has to be done to allow splunk to validate user login.
So even after I got the conf file correct and could see groups, etc. I could not get the login to work...talk about days of screaming frustration.
Second big discovery, is if one of your domain admins loves to organize, splunk (or LDAP) does not deal will with nested OUs. So if users are deep within nested OUs, you will have to do as I did. Give path (i.e. distinguisedName) for every "group/OU".
hope this helps someone even a little.
at the bottom is a working authentication.conf file...with what should be obvious removal of company, domain information.
Basic LDAP configuration
[domaincontroller]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkbind, CN=Users, DC=companynamesystems, DC=com
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
userBaseFilter = (objectclass=*)
groupBaseDN = CN=Users, DC=companynamesystems,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domaincontroller.companynamesystems.com
nestedGroups = 1
comwork_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users, DC=companynamesystems, DC=com
userNameAttribute = samaccountname
[authentication]
authSettings = domaincontroller,domainname
authType = LDAP
[domainname]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = splunkbind
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
groupBaseDN = CN=splunk,DC=companyname,DC=com;
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domainnamedc02.companyname.com
nestedGroups = 1
comwork_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Sustained Engineering,OU=Corp,DC=companyname,DC=com;OU=Analytics,OU=Corp,DC=companyname,DC=com;OU=Customer Service,OU=Corp,DC=companyname,DC=com;OU=IT Staff,OU=Hyderabad,OU=Corp,DC=companyname,DC=com;OU=Management,OU=Corp,DC=companyname,DC=com;OU=Product Development,OU=Corp,DC=companyname,DC=com;OU=GlobalLogic,OU=Corp,DC=companyname,DC=com;OU=QA,OU=Corp,DC=companyname,DC=com;
userNameAttribute = samaccountname
[roleMap_domainname]
admin = SplunkAdmin
user = SplunkUsers
[roleMap_domaincontroller]
... View more