Security

Splunk 4.2 Ldap

mhasling
Engager

I am trying to set up splunk to authenticate against ldap and got the configuration set up in splunk 4.1.7. It worked fine I was able to log in with my ldap user name. I then installed splunk 4.2 and went through the same process that worked before and when saving my ldap configuration the UI hung. Looking in the logs I saw ScopedLDAPConnection LDAP server returned message: Size limit exceeded. I know that there are more than 1000 users in my defined DN user space and I can not change the layout of ldap. Just to test I went back uninstalled splunk reinstalled 4.1.7 and got the configuration to work.

Any idea why this would work in splunk 4.1.7 and not 4.2? Suggestions?

Thanks!

Tags (1)
0 Karma
1 Solution

Marklar
Splunk Employee
Splunk Employee

So this was just an issue with saving the strategy? The same configuration should absolutely work in 4.2 - all your users should be able to log in the same way. If need be, simply copy the authentication.conf from your 4.1.7 instance into your 4.2. This config file is under $SPLUNK_HOME/etc/system/local

Our LDAP integration is largely unchanged in 4.2, with the exception of that strategy page. We now perform some extra validation that the configuration you entered will work. This verification involves contacting the LDAP server a few times and performing some basic searches, so any latency in contacting that server would be reflected in the UI when you hit save.

Here is what we now verify for you when you save a strategy (in order):

  • You can contact the LDAP server and bind given the credentials specified.

  • All user base DNs specified exist on the server

  • We can retrieve at least 1 user given the specified username, realname, and groupMapping attributes

  • All group base DNs specified exist on the server

  • We can retrieve at least 1 group given the specified groupName and groupMember attributes

Note that the third and fifth checks involve performing a search, which would be subject to size limits. However, we only ask for one entry. So the 'size limit exceeded' is a red herring here; it's just the LDAP server telling Splunk that the search would hit the size limit, even though we only asked for 1 entry. For further information, set ScopedLDAPConnection to debug, which should make it clear exactly what searches we're performing and what's causing the issue. Do this from Manager > System Settings > System Logging

View solution in original post

BP9906
Builder

The above answer is helpful for turning on logging, but even after turning on logging and scoping the user based DN down to a group with only 2 users, I still get

07-25-2011 17:14:13.224 -0700 WARN ScopedLDAPConnection - Search for DN 'OU=group,OU=Users,OU=location,...': LDAP server returned message: Size limit exceeded

0 Karma

Marklar
Splunk Employee
Splunk Employee

So this was just an issue with saving the strategy? The same configuration should absolutely work in 4.2 - all your users should be able to log in the same way. If need be, simply copy the authentication.conf from your 4.1.7 instance into your 4.2. This config file is under $SPLUNK_HOME/etc/system/local

Our LDAP integration is largely unchanged in 4.2, with the exception of that strategy page. We now perform some extra validation that the configuration you entered will work. This verification involves contacting the LDAP server a few times and performing some basic searches, so any latency in contacting that server would be reflected in the UI when you hit save.

Here is what we now verify for you when you save a strategy (in order):

  • You can contact the LDAP server and bind given the credentials specified.

  • All user base DNs specified exist on the server

  • We can retrieve at least 1 user given the specified username, realname, and groupMapping attributes

  • All group base DNs specified exist on the server

  • We can retrieve at least 1 group given the specified groupName and groupMember attributes

Note that the third and fifth checks involve performing a search, which would be subject to size limits. However, we only ask for one entry. So the 'size limit exceeded' is a red herring here; it's just the LDAP server telling Splunk that the search would hit the size limit, even though we only asked for 1 entry. For further information, set ScopedLDAPConnection to debug, which should make it clear exactly what searches we're performing and what's causing the issue. Do this from Manager > System Settings > System Logging

mhasling
Engager

Thanks when I copied the authentication.conf file over and restarted it worked. Just had to change the password back to clear text in the configuration file.

I guess it didn't like the extra validation being done with a large set of users.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...