Security

Can Splunk be configured to add a single active directory user instead of a group?

scc00
Contributor

Can Splunk be configured to pull a single AD user instead of a group? I have tried a number of user base filters with no success. My group filters work without issue.

I have tried to use the following for the user base filter options:

• (&(objectCategory=person)(objectClass=user)(sAMAccountName=someone))
• (&(objectClass=user)(sAMAccountName=someone))
• (&(objectCategory=person)(objectClass=user)(cn=someone))
• (&(objectClass=user)(cn=someone))

I am getting the following errors in splunkd.log.
• ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

0 Karma
1 Solution

scc00
Contributor

This is what worked for me in the end. Setting the group base and user base filters and DN to the same value, the user base values. I also modified the groupMemberAttribute to mimic the userMember Attribute.
Settings to add a single user:

[Team_Contractors]
host = ldap.domain.org
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = domain\XXXXXXX
bindDNpassword = XXXXXXXXXXXXXX
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
groupBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20

View solution in original post

scc00
Contributor

This is what worked for me in the end. Setting the group base and user base filters and DN to the same value, the user base values. I also modified the groupMemberAttribute to mimic the userMember Attribute.
Settings to add a single user:

[Team_Contractors]
host = ldap.domain.org
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = domain\XXXXXXX
bindDNpassword = XXXXXXXXXXXXXX
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
groupBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20

scc00
Contributor

I ended up using the following syntax to get it to work.

Settings to add a single user:

[Strategy]
host = *****
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = ******
bindDNpassword =********
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=***)(sAMAccountName=)))
groupBaseDN =OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=
)(sAMAccountName=***)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20

0 Karma

sanjay_shrestha
Contributor

It is possible if you add constraint in the User Settings:

User Base Filter
(&(objectClass=user)(cn=someone))

And check in the Group Settings:

Static group search filter should have constraint for the group where someone exists.
e.g.
(&(objectClass=group)(cn=Splunk-Someones-Group))

0 Karma

scc00
Contributor

I tried that. Still doesn't work.

0 Karma

scc00
Contributor

Sure.

User Base DN:
OU=Contractors,OU=Non-main Users,OU=main_users,DC=domain,DC=org
User Base Filter:
(&(objectClass=user)(cn=someone))
Group base DN:
OU=Contractors,OU=Non-main Users,OU=main_users,DC=domain,DC=org
Group Filter:
(&(objectclass=group)(cn=Contractors)

0 Karma

sanjay_shrestha
Contributor

Can you try adding following:

User name attribute >> samaccountname
Real name attribute >> cn
Group mapping attribute >>dn


Group name attribute >> cn
Static member attribute >> member

P.S. I tried in my system and able to pull only one user. I had these extra parameters set.

0 Karma

scc00
Contributor

Those are all already set. I've tested the syntax against LDAP and the work to pull the single user. No idea why it won't work for me within Splunk.

0 Karma

scc00
Contributor

Do you know where I can set the ScopedLDAPConnection to DEBUG? I can't find it in the log.cfg.

0 Karma

sanjay_shrestha
Contributor

settings >> System settings >> System Logging

0 Karma

scc00
Contributor

Thanks. So here is what i am getting.

02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="cn" with value="Person"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="sAMAccountName" with value="xxxxx"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="mail" with value="person@domain.org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Attempting to read entry at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Attempting to search subtree at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org" using filter=""
02-06-2015 15:52:47.925 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Search duration="1992 microseconds"
ScopedLDAPConnection - strategy="contractor_person" LDAP Server returned no entries in search for DN="OU=Contractors,OU=Non-domain Users,OU=Main,DC=domain,DC=org" filter="(&(&(objectclass=group)(cn=Contractors))(cn=)(member=))".
02-06-2015 15:52:47.928 -0500 ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

0 Karma

scc00
Contributor

I'm wondering if it's timing out. It found the user but the filters aren't working. even though they've been tested.

0 Karma

sanjay_shrestha
Contributor

Can you post User Settings & Group Settings?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...