Security

Some LDAP users are not showing up in Splunk Users screen -- Splunk 4.3.1 build 119532.

wrangler2x
Motivator

I happened to take a look at Manager >> Access Controls >> Users the other day and quite a few users I knew should be there were not. We are using LDAP authentication. I vaguely remembered something about LDAP in the 4.3 notes and went and looked. After mentioning that they fixed a bug concerning Splunk LDAP for this release it says:

If you are using LDAP version 2,
Splunk will populate the LDAP user
list with only those users who have
already successfully logged in to
Splunk, as opposed to the full list of
users who have login access.

We are, in fact, using LDAP 2 (the actual version is 2.4.23)

So I thought, "maybe that's it". I asked someone who is configured to use Splunk via LDAP that was not on the list in Splunk and asked him to log in to Splunkweb. After he did this I went back to the Users list and, no, he still wasn't there. So I don't think it is this that we are seeing here.

My questions:

  1. Has anyone else seen this?
  2. Has anyone any idea about anything we could be doing that would cause this?
  3. Does this sound like a Splunk bug?
Tags (3)
0 Karma

treinke
Builder

What are your LDAP settings? Mainly, what is your "User base DN" and "Group base DN"? I tend to create a specific Security Group for Splunk. I have for example Splunk - Admins, Splunk - Developers - Location 1, Splunk - Developers - Location 2, Splunk - Service Desk, etc. With that, make sure that a group the user is in is mapped to a specific role. Is the group showing up in the "Manager » Access controls » Authentication method » Configure Splunk to use LDAP and map groups » Map groups"?

There are no answer without questions
0 Karma

wrangler2x
Motivator

Can you be more specific about what you are looking for in the GUI? There is no area of the page labled 'groups'. I will say that every field is filled in except the two Dynamic group settings (member attribute and group search filter).

We are using a rolemap defined in authentication.conf that has a 10 roles, and what users associated with these roles can do is defined in authorize.conf.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...