Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunkd.log UserManagerPro LDAP warning with blank username

mfrost8
Builder
‎03-29-2017 09:51 AM

We use LDAP authentication for users on our Splunk instances. I'm trying to keep an eye on users who no longer exist (orphaned searches, but also user dirs that are 'dead').

Occasionally, I see the following show up in the logs:

03-29-2017 11:27:14.140 -0500 ERROR UserManagerPro - Failed to get LDAP user="" from any configured servers

That is, the user field is blank. I can't see how I could have a blank user in Splunk. Does anyone know how this might happen? I'd like to clean it up if I can.

Thanks!

0 Karma
Reply

brreeves_splunk
Splunk Employee
Splunk Employee
‎03-30-2017 08:32 AM

These references come from savedsearches that were previously assigned to a now disabled user. You can track these down by running Splunk in Debug for searches for a bit, then let them run. Next, in the splunkd log you'll see the SID of the search trying to run. That way you can track it back to the search and either re-assign it or delete it.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Enabledebuglogging#Enable_debug_l...

Reply

brreeves_splunk
Splunk Employee
Splunk Employee
‎03-29-2017 10:48 AM

If you look at the events around that one, does it talk about what search or activity it is trying to complete with that user?

0 Karma
Reply

mfrost8
Builder
‎03-29-2017 12:50 PM

Why didn't I think of that? 🙂

Just prior I see

03-29-2017 14:06:11.948 -0500 WARN  HttpListener - Socket error from 1.2.3.4 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
03-29-2017 14:06:13.153 -0500 WARN  HttpListener - Socket error from 1.2.3.5 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
3-29-2017 14:06:13.543 -0500 ERROR ScopedLDAPConnection - Invalid search filter: Attribute and value must be non-empty. Attempted to constrain attribute="samaccountname" to value=""
03-29-2017 14:06:13.612 -0500 ERROR ScopedLDAPConnection - Invalid search filter: Attribute and value must be non-empty. Attempted to constrain attribute="samaccountname" to value=""
03-29-2017 14:06:13.612 -0500 ERROR UserManagerPro - Failed to get LDAP user="" from any configured servers

I think we have some internal tool that is scanning servers and attempting to break in on any ports it can find. Just to see, I tried going to the web interface and hitting enter without entering a userid or password to see if that would generate this and it did not.

I guess there's something about the way this is hitting the port that is triggering an LDAP search with no user information.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...