Splunk Search

LDAP Users not replicating within splunk (5.0.4)

stevejfice
Path Finder

Performing a Splunk install at the moment and we have configured splunk to connect LDAP to the local Active Directory server, which we presume is successful (nothing erroneous appears in the logs, at least).

We can see the groups to map roles but mapping a roles to a group then does not have any further affect.
For instance, on another Splunk instance connecting to another DC, mapping the roles pulls the users in the relevant groups into the Manager // Users section and they are able to log in. On the new instance nothing apart from the local Splunk admin account appears. We have restarted splunk several times and test with ldapsearch and the queries are successful. Anyone have any ideas?

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi stevejfice,

a good place to start would be to search for any LDAP related messages in splunkd.log:

 index=_internal source=*splunkd.log* component="AuthenticationManagerLDAP"

Also, keep in mind that empty LDAP Groups will not show up in Splunk, you will need at least one object in the LDAP group.
Last but not least, I simply assume your Splunk server is able to connect to the AD (excluding any routing, network, firewall troubles).

hope this helps...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

and if you run the LDAP search by hand and using some other tools like cmd line or Apache Directory Studio or AD Explorer, with the filters Splunk uses, you get a result back for this user="splunktest"?

0 Karma

stevejfice
Path Finder

I've been through it again, double and triple checked and there are absolutely no errors that I can see (even had another pair of eyes go over it just in case).

0 Karma

MuS
SplunkTrust
SplunkTrust

don't excuse for being busy 🙂
well according to the message Splunk is not able to find the user in LDAP....are you really sure there is no typo in the .conf and the user filter is correct?

0 Karma

stevejfice
Path Finder

Been a little busy today, sorry about that.
Have done the above and now we get:
11-08-2013 16:07:18.726 +0000 DEBUG AuthenticationManagerLDAP - Init called: Clearing the user cache
11-08-2013 16:07:41.316 +0000 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="splunktest" from strategy="ldaphost"
11-08-2013 16:07:41.316 +0000 ERROR AuthenticationManagerLDAP - Could not find user="splunktest" with strategy="ldaphost"
11-08-2013 16:07:41.316 +0000 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="splunktest" on any configured servers

0 Karma

MuS
SplunkTrust
SplunkTrust

increase the log channel for AdminHandler:AuthenticationHandler, AuthenticationManagerLDAP, AuthenticationManagerSplunk and restart Splunk. Check for authentication errors

0 Karma

stevejfice
Path Finder

Ok, I wasn't aware of that. However they still get a username/password combination error.

0 Karma

MuS
SplunkTrust
SplunkTrust

One Thing to remember, Users will only be listed on the User Page After the First Login

0 Karma

stevejfice
Path Finder

That's not an option, that server no longer exists. The configuration file points to the new AD controller, which is a direct copy of the old AD.

0 Karma

MuS
SplunkTrust
SplunkTrust

what are the results if you point your config back to the original / working AD?

0 Karma

stevejfice
Path Finder

I can also see the objects/members within the groups both through splunk (while mapping the roles) and through an LDAPSearch tool. The confusing thing is this is a direct copy from another working splunk instance (only thing changing is pointing to a different AD server which has the same users and groups on it)

0 Karma

MuS
SplunkTrust
SplunkTrust
0 Karma

MuS
SplunkTrust
SplunkTrust

being able to see LDAP groups does not mean you will see the user object inside the group, because therefore Splunk will use the User base filter and the User name attribute. While it will use the Static group search filter and the Group name attribute for the groups.
You can verify your user filter setting by running a manual LDAP search using your configured filter.

0 Karma

stevejfice
Path Finder

All seems fine in there. Surely if there was a spelling mistake in something simple there (which was created through SplunkWeb for simplicity) the LDAP Groups would not be visible for me to map from?

Is there a step after the mapping that I need to perform perhaps?

0 Karma

MuS
SplunkTrust
SplunkTrust

have you checked for possible typos in your authentication.conf?

0 Karma

stevejfice
Path Finder

The only things showing from the referenced search above are referring to our attempts to login to accounts we know exist in the LDAP group we have mapped roles for.
eg:

11-07-2013 11:47:32.360 +0000 ERROR AuthenticationManagerLDAP - Could not find user="userid" with strategy="ldaphost"

As above, I've tested LDAP connectivity which works, it's just not replicating those users, of which there are 10, into Splunk from the LDAP mapping.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...