Hey there,
I have been trying to figure out why Splunk can't authenticate against my OpenLDAP server. Current configuration looks like this:
SSLEnabled = 1
anonymous_referrals = 0
bindDN = cn=admin,ou=meta,dc=my,dc=example,dc=com
bindDNpassword =
charset = utf8
groupBaseDN = ou=Group,dc=my,dc=example,dc=com
groupBaseFilter = (|(cn=GROUP1)(cn=GROUP2))
groupMappingAttribute = dn
groupMemberAttribute = memberuid
groupNameAttribute = cn
host = my.example.com
nestedGroups = 0
network_timeout = -1
port = 636
realNameAttribute = cn
sizelimit = 10000
timelimit = 29
userBaseDN = ou=People,dc=my,dc=example,dc=com
userBaseFilter = (objectClass=posixAccount)
userNameAttribute = uid
Groups are mapped correctly (GROUP1 and GROUP2), but the users within these groups cannot authenticate. I have been looking at the LDAP logs and I can see these filters:
This specific ones, successfully gets the user data.
conn=379662 op=1 SRCH base="ou=People,dc=my,dc=example,dc=com" scope=2 deref=0 filter="(&(uid=USERNAME)(objectClass=posixAccount)(cn=*))"
Now this one is generated to look for the groups that this specific user is a member of:
conn=379662 op=2 SRCH base="ou=Group,dc=my,dc=example,dc=com" scope=2 deref=0 filter="(&(memberUid=uid=USERNAME,ou=people,dc=my,dc=example,dc=com)(|(cn=GROUP1)(cn=GROUP2))(cn=*))"
But it returns nothing, so user is not logged in, so essentially the filter does not work.
However this filter works:
(&(memberUid=lkamenov)(|(cn=GROUP1)(cn=GROUP2))(cn=*))
Anyone have an idea what could be going wrong exactly? Would appreciate any help!
Thank you
Lou
Within your group definitions, does memberUid
refer to a WHOLE DN, or just the 'short name'?
Your examples suggest that the members of groups are referred to by just the uid=lkamenov
attribute and not the entire uid=lkamenov,ou=people,dc=my,dc=example,dc=com
.
Based on your examples, I would suggest setting
groupMappingAttribute = uid
In your authentication.conf. This (should) make Splunk use the "simple" uid
attribute instead of the whole DN for purposes of group matching.
Note, however, that this makes group memebership ambiguous when the same uid exists in multiple OU's. ( Meaning uid=lkamenov,ou=people,dc=my,dc=domain,dc=com
and uid=lkamenov,ou=otherpeople,dc=my,dc=domain,dc=com
would both match the group membership attribute of uid=lkamenov
)
I used the full DN and that worked nicely. Thanks for the help!
Did this solve your issue? An update would be appreciated.