Security

LDAP Authentication - Users from another trusted domain

treinke
Builder

I am in a multiple trusted domain environment. Currently Splunk is authenticating on our US domain. I have a UK user added to one of my US domain groups that is mapped in to Splunk. Everyone else except the person from the other domain is listed in Users. In the LDAP Groups, I open that group and in the LDAP Users I see the UK domain person.

Does Splunk not work across trusted domains even though it see the user in the LDAP Group?

There are no answer without questions
Tags (2)
2 Solutions

the_wolverine
Champion

Splunk makes 2 separate calls when performing LDAP bind. It possible that this could work if you are somehow able to bypass referrals for your users listing. This can be done via a combination of:

  • Use Anonymous Bind (your DCs would need to support this)
  • Use a multipleDN configuration for your userBase:

    userBaseDN = OU=Users,OU=UK,DC=Domain,DC=Com;OU=Users,OU=US,DC=Domain,DC=Com;

  • Use specific filters to return only members of Splunk Role-mapped groups:

    userBaseFilter = (|(memberOf=CN=SplunkAdmins)(memberOf=CN=SplunkPowerUsers)(memberOf=CN=SplunkUsers))

  • Use AD GC Port (3268, or 3269 for LDAPS)

View solution in original post

dave_duvall
Explorer

Note that if you want to use the GC port as wolverine suggests, then the Domain Controller you are pointing to needs to be a Global Catalog.

We have found that placing the Splunk users in a Universal Group and pointing to the GC port (3268 for LDAP, 3269 for LDAPs) that you avoid all referrals and can make any account in the forest accessible to splunk for authentication and authorization.

Highly recommend taking the time to enable secure LDAP as otherwise the authentication is done in cleartext to the DC.

View solution in original post

zahorek
Engager

Anthony, and others who may stumble into this.
It does not look like a splunk issue to me....

I have been dealing with the same issue and did a wireshark of the LDAP exchange to help understand what is going on here. The UK user you added to your US domain group is not picked up by splunk authorization "map group" because Windows server is sending it only the SID value for that user with a common name of "ForeignSecurityPrincipals". I am not sure why Windows server would not send it the full DN of the UK user you have added into the US domain group. I my case what is sent by the Windows DC to represent the externally referenced user looks like this:

Frame 398 includes an unspecified "ForeignSecurityPrincipals" account which is identified by only the SID as follows:
AttributeValue: CN=S-1-5-21-4266372183-2100496958-683817857-1104,CN=ForeignSecurityPrincipals,DC=dapper,DC=dap

...This is basically useless information to splunk. It looks like a Windows server issue to me. I would expect the full CN representing the inserted user to be sent. After all the foreign user ~was~ added successfully to the group.

What we need sent by Windows server is something that looks like the following, which is the form sent for local users placed into the group of interest. It looks like this:

AttributeValue: CN=splunkadmin1,CN=Users,DC=dapper,DC=dap

Again, from my perspective it looks like a Windows 2012R2 DC LDAP issue. Your UK user foreign security principal is not being identified as proper "CN" even though Windows is aware of exactly who this principal is. It is sending only SID and "ForeignSecurityPrincipals".

0 Karma

dave_duvall
Explorer

Note that if you want to use the GC port as wolverine suggests, then the Domain Controller you are pointing to needs to be a Global Catalog.

We have found that placing the Splunk users in a Universal Group and pointing to the GC port (3268 for LDAP, 3269 for LDAPs) that you avoid all referrals and can make any account in the forest accessible to splunk for authentication and authorization.

Highly recommend taking the time to enable secure LDAP as otherwise the authentication is done in cleartext to the DC.

the_wolverine
Champion

Splunk makes 2 separate calls when performing LDAP bind. It possible that this could work if you are somehow able to bypass referrals for your users listing. This can be done via a combination of:

  • Use Anonymous Bind (your DCs would need to support this)
  • Use a multipleDN configuration for your userBase:

    userBaseDN = OU=Users,OU=UK,DC=Domain,DC=Com;OU=Users,OU=US,DC=Domain,DC=Com;

  • Use specific filters to return only members of Splunk Role-mapped groups:

    userBaseFilter = (|(memberOf=CN=SplunkAdmins)(memberOf=CN=SplunkPowerUsers)(memberOf=CN=SplunkUsers))

  • Use AD GC Port (3268, or 3269 for LDAPS)

treinke
Builder

switching to the AD GC port solved the problem. Thanks guys!

There are no answer without questions
0 Karma

Simeon
Splunk Employee
Splunk Employee

Splunk will authenticate you based on the LDAP Group which you have mapped to a role. So if your configured LDAP group contains the user, then it should map that user properly.

It sounds like you are using a nested group mapping or you have multiple AD machines that use referrals. Splunk will not authenticate against LDAP referrals or when nested groups are in use.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...