Security

How do I get large LDAP/AD Groups (>1500 members) to work in Splunk?

jmulloy
Engager

I've been attempting to configure Splunk to use some very large groups (>1500 members) to allow all users in my business unit to login, instead of having to add smaller groups individually. When I try to use these groups and turn the logging level for AuthenticationManagerLDAP up to "Debug" I get the following error message.

09-24-2013 14:19:23.861 -0700 DEBUG AuthenticationManagerLDAP - Skipping dynamic group DN="CN=Org-BUName-Employees,OU=Automated,OU=Distribution Lists,OU=Groups,DC=corp,DC=company,DC=com" with no values for member attribute

Investigating with ldapsearch I found that this is not a dynamic group as Splunk claims. Because it's so large querying the group returns the first 1500 group members with the attribute 'member;range=0-1499' instead of 'member' as Splunk expects. With a group this large multiple requests need to be made to get all the members with the attribute you're requesting being, 'member;range=0-1499', 'member;range=1500-2999', etc.

If I change groupMemberAttribute to "member;range=0-1499" I get the first 1500 users from the large group, but the rest are missing and I get no users from the smaller groups. If it was possible to specify multiple groupMemberAttributes I could fix this issue, but according to http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Authenticationconf this parameter only allows one value, not a list.

Update: While I still haven't come up with a solution I did come up with a work around that works in my case. We have mailing lists for both Organizations and Locations. So I setup the userBaseFilter to filter users who are members of the mailing lists for the organizations I want to allow to login to Splunk, and then in the roleMap section I used all the location mailing lists which are all under 1000 users each. Without the filter this would allow anyone to login, but with the organization filter those users won't be returned by AD.

teunlaan
Contributor

Problem is fixed in Release 7.3.X (tested)

You need to edit the authentication.conf, add enableRangeRetrieval = 1 to your LDAP settings

enableRangeRetrieval = <boolean>
* OPTIONAL
* The maximum number of values that can be retrieved from one attribute in a
single LDAP search request is determined by the LDAP server. If the number of
users in a group exceeds the LDAP server limit, enabling this setting fetches all
users by using the "range retrieval" mechanism.
* Enables result sets for a given attribute that exceed the maximum number of
values defined for the LDAP server.
* If set to false, ldap range retrieval is off.
* Default: false

cconway_splunk
Splunk Employee
Splunk Employee

Trying to replicate the success you are having with the ranges and I am unable get AD to cooperate. Would you please give me the entries you are using in your conf to achieve the pointed LDAP strategy for 0-1499, etc?

0 Karma

derekarnold
Communicator

Hi,
You can try the sizelimit attribute, perhaps it's set to 1500 currently? You may want to up your timelimit and network_timeout depending on how long Splunk is waiting for the LDAP query.

sizelimit = integer

* OPTIONAL
* Limits the amount of entries we request in LDAP search
* IMPORTANT: The max entries returned is still subject to the maximum imposed by your LDAP server
   * Example: If you set this to 5000 and the server limits it to 1000, you'll still only get 1000 entries back
* Defaults to 1000
0 Karma

teunlaan
Contributor

does Anyone already have a real fix for this?

We now have this issue. We Can't put "member;range=0-1499" in the LDAP setting. It retuns an error that it can't find any users

0 Karma

Cbr1sg
Path Finder

I just tested this out, you can put "member;range=0-1499" in the LDAP settings, but not via GUI.
You have to make the change in authentication.conf, only then the setting is accepted by Splunk.

0 Karma

pbarbuto
Path Finder

Also having this issue. Any resolutions yet?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...