Security

LDAP tuning 4.2

EricPartington
Communicator

I have set up LDAP access to the GC (3268) and it works great. However, i am now noticing that there is a lot of traffic generated across the firewall that separates them.
in the last 60 minutes 54,000 connections were created. This will not make the AD team very happy.

Firstly what is splunk doing every minute to reach out and generate about 1000 connections ( this sounds like the default page size for an ldap connection)?

Second how do I force splunk to reach out less frequently? The LDAP groups are not changing that rapidly, once an hour or two is sufficient for me.

Can the scripted auth parameters for caching and timeout be used for LDAP connections?

Tags (3)
1 Solution

EricPartington
Communicator

Solved it, wasnt what I expected.

We are using LDAP auth for user access to splunk. It turns out that splunk attempts to verify in LDAP all the owners of searches and objects listed in local.meta

I had done some development on objects with a local account that didnt exist on this server and that was what splunk was attempting to lookup in AD. This is the same behaviour that I saw when i used the Bind app and we were noticing lookups for nfoggi (the creator of the searches in that app).

So i guess a word of warning, if you save objects as owned by a local user that does not exist on the splunk server that authentication is done on, you will have a number of queries generated to your AD/LDAP server attempting to lookup those ID's.

A tcpdump with this string will tell you what you are looking up in AD/LDAP to validate the problem.
a.b.c.d is th eldap server or you can use port 3268 (for global catalog) or port 386 (for LDAP).
tcpdump -np -s 1500 -w outfile.libpcap -i em3 host a.b.c.d

hope this helps someone (and maybe gets the default ownership of objects changed in splunkbase for those that use AD/LDAP auth).

View solution in original post

EricPartington
Communicator

Solved it, wasnt what I expected.

We are using LDAP auth for user access to splunk. It turns out that splunk attempts to verify in LDAP all the owners of searches and objects listed in local.meta

I had done some development on objects with a local account that didnt exist on this server and that was what splunk was attempting to lookup in AD. This is the same behaviour that I saw when i used the Bind app and we were noticing lookups for nfoggi (the creator of the searches in that app).

So i guess a word of warning, if you save objects as owned by a local user that does not exist on the splunk server that authentication is done on, you will have a number of queries generated to your AD/LDAP server attempting to lookup those ID's.

A tcpdump with this string will tell you what you are looking up in AD/LDAP to validate the problem.
a.b.c.d is th eldap server or you can use port 3268 (for global catalog) or port 386 (for LDAP).
tcpdump -np -s 1500 -w outfile.libpcap -i em3 host a.b.c.d

hope this helps someone (and maybe gets the default ownership of objects changed in splunkbase for those that use AD/LDAP auth).

gkanapathy
Splunk Employee
Splunk Employee

This is interesting.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...