- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- LDAP tuning 4.2
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have set up LDAP access to the GC (3268) and it works great. However, i am now noticing that there is a lot of traffic generated across the firewall that separates them.
in the last 60 minutes 54,000 connections were created. This will not make the AD team very happy.
Firstly what is splunk doing every minute to reach out and generate about 1000 connections ( this sounds like the default page size for an ldap connection)?
Second how do I force splunk to reach out less frequently? The LDAP groups are not changing that rapidly, once an hour or two is sufficient for me.
Can the scripted auth parameters for caching and timeout be used for LDAP connections?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved it, wasnt what I expected.
We are using LDAP auth for user access to splunk. It turns out that splunk attempts to verify in LDAP all the owners of searches and objects listed in local.meta
I had done some development on objects with a local account that didnt exist on this server and that was what splunk was attempting to lookup in AD. This is the same behaviour that I saw when i used the Bind app and we were noticing lookups for nfoggi (the creator of the searches in that app).
So i guess a word of warning, if you save objects as owned by a local user that does not exist on the splunk server that authentication is done on, you will have a number of queries generated to your AD/LDAP server attempting to lookup those ID's.
A tcpdump with this string will tell you what you are looking up in AD/LDAP to validate the problem.
a.b.c.d is th eldap server or you can use port 3268 (for global catalog) or port 386 (for LDAP).
tcpdump -np -s 1500 -w outfile.libpcap -i em3 host a.b.c.d
hope this helps someone (and maybe gets the default ownership of objects changed in splunkbase for those that use AD/LDAP auth).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved it, wasnt what I expected.
We are using LDAP auth for user access to splunk. It turns out that splunk attempts to verify in LDAP all the owners of searches and objects listed in local.meta
I had done some development on objects with a local account that didnt exist on this server and that was what splunk was attempting to lookup in AD. This is the same behaviour that I saw when i used the Bind app and we were noticing lookups for nfoggi (the creator of the searches in that app).
So i guess a word of warning, if you save objects as owned by a local user that does not exist on the splunk server that authentication is done on, you will have a number of queries generated to your AD/LDAP server attempting to lookup those ID's.
A tcpdump with this string will tell you what you are looking up in AD/LDAP to validate the problem.
a.b.c.d is th eldap server or you can use port 3268 (for global catalog) or port 386 (for LDAP).
tcpdump -np -s 1500 -w outfile.libpcap -i em3 host a.b.c.d
hope this helps someone (and maybe gets the default ownership of objects changed in splunkbase for those that use AD/LDAP auth).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is interesting.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
