- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Why is our Splunk LDAP / Active Directory authenti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is our Splunk LDAP / Active Directory authentication not showing security groups?
We've inherited a Splunk deployment that is authenticating against Active Directory with LDAP.
We can see users and distribution groups from AD, but not security groups.
Can you help point me in the right direction for why we cannot see security groups for managing access to our Splunk deployment?
[DOMAIN - ActiveDirectory]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = <redacted>
bindDNpassword =
charset = utf8
dynamicMemberAttribute = member
emailAttribute = mail
groupBaseDN = <redacted>
groupBaseFilter = (objectclass=group)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = myserver.mydomain
nestedGroups = 1
network_timeout = 20
port = 666
realNameAttribute = displayname
sizelimit = 980
timelimit = 15
userBaseDN = <redacted>
userNameAttribute = samaccountname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turning on debug level logging may help:
Setting > Server settings > Server logging > ScopedLDAPConnection > DEBUG
Setting > Server settings > Server logging > AuthenticationManagerLDAP > DEBUG
We had a similar issue and discovered that the LDAP query Splunk runs always has the filter: (displayname=*), so if an object doesn't have its display name populated, Splunk won't "see" the object.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far we've been unable to see a (displayname=*) filter present in our LDAP queries when debugging. However, we did notice that our LDAP query is only displaying 2,000 (of 2,613) groups even after increasing our LDAP query limits on the Splunk side.
Continuing to dig...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep in mind Splunk only displays groups when the are Users in that group.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ahhh.... good point. Currently, the security group is populated with six users. We don't have a userBaseFilter set, is there anything else that could be masking the users on the Splunk side and preventing the group from being visible?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
