Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need more info about LDAP authorization internals

robgarner
Path Finder
‎03-09-2017 12:48 PM

Hi -

I have a working LDAP authentication/authorization configuration. There are no local users - all access is based on LDAP group membership and associated role definitions. A couple of our roles import "power" role. A couple of roles import other roles that import "power". There are multiple AD and OpenLDAP stores and some users are members of dozens of groups. Some of the LDAP groups import other LDAP groups (which a couple of "Answer" topics have indicated can be problematic).

1) I'd like guidance on constructing a query (preferably REST, but I'm not too fussy) that will show me which roles are importing "power" (or any other role or permssion, for that matter). Recursive would be icing on the cake.

2) Is there any equivalent of a "debug verbose" flag I can turn on in Splunk itself for authentication/authorization that will log all requests to and results from the LDAP servers ? I'm hoping for the equivalent of the "-d 1" flag for ldapsearch.

Thanks,
-Rob

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-10-2017 05:11 AM

Try starting with something like this and see what you want to do search-wise to drive to your answer.

| rest splunk_server=local /services/authorization/roles
| table title imported_roles
| rename title AS role

The splunk_server=local is going to show just that search head. If you remove that, it will return your indexers as well so you'll need to consolidate those results.

Let us know how that works out and we can iterate through.

Reference: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#authorization.2Froles

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Splunk Employee
Splunk Employee
‎03-10-2017 05:11 AM

Try starting with something like this and see what you want to do search-wise to drive to your answer.

| rest splunk_server=local /services/authorization/roles
| table title imported_roles
| rename title AS role

The splunk_server=local is going to show just that search head. If you remove that, it will return your indexers as well so you'll need to consolidate those results.

Let us know how that works out and we can iterate through.

Reference: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#authorization.2Froles

0 Karma
Reply
Solved! Jump to solution

robgarner
Path Finder
‎03-13-2017 10:46 AM

Many thanks on the rest query; that'll get me started on the roles question.

How about LDAP troubleshooting; do you have any insight on how I could approach that ?

Grateful for your help!
-Rob

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎03-14-2017 05:20 AM

For LDAP troubleshooting, did you see this https://docs.splunk.com/Documentation/Splunk/latest/Security/TroubleshootSplunkSSO ? If you need more granular help, I'd suggest another post on answers where we can dig into it further (since this one is already answered and mostly covers a separate question).

0 Karma
Reply
Solved! Jump to solution

robgarner
Path Finder
‎03-15-2017 09:52 AM

Good idea. Will check out your link and see where it takes me. Many thanks for all your help ! 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...