Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to see all LDAP users under Access Controls?

pkeller
Contributor
‎11-10-2016 03:29 PM

Running Splunk 6.4.3 in a Search Head Cluster using AD/Ldap authentication.

A user contacted me about adding some capabilities. When I looked under: Access Controls -> Users, I could not find that the person's ID was visible. However when I search audit.log I see that he has logged in.

Additionally when I search: | rest /services/admin/users | search roles=his_role | stats values(realname) I see a list of about 365 names, (alphabetical by first name), which scrolls to the letter R or sometimes S, but seems to leave off the names towards the end of the alphabet.

So, I'm wondering if there's some sort of limit to the number of names that the rest call or the UI Access Controls module. As I mentioned at the top: The person, who's firstname starts with "V" can login, he's just not referenceable, so I can't look at his inherited roles and/or capabilities.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-10-2016 07:27 PM

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-10-2016 07:27 PM

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

sk314
Builder
‎11-10-2016 04:23 PM

Did you check this(Access Controls -> Users) on each member of your SH cluster? AFAIK - only the one that he connected to will have those details.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...