Security

How to troubleshoot ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user in splunkd.log ?

Hemnaath
Motivator

Hi Splunkers, I am seeing some 2023 event counts for the below mentioned error detail in splunkd.log in all the indexer instances, so can any one guide me how /where to start the investigation on fixing this issue.

ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"

Splunk Version : 7.0.4

Tags (2)
0 Karma

splunkoptimus
Path Finder

Check if the user belongs to groups which have permissions to access Splunk.

0 Karma

Hemnaath
Motivator

Hi All, When troubleshooting this issue with the help of splunker from splunk.answers.com , I had narrow down the issue and fixed it.

In this case the indexer and search head instances the LDAP configuration are different, in indexer instance only Splunk_Admin ldap group was configured, where as in search head we had other LDAP groups configured due to this when ever any user mapped apart from splunk_admin groups performs search activities it was throwing an error in splunkd.log due to the configuration conflict.

Problem Detail:
ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"

Solution: Configured all the LDAP group in the indexer instance same as search head instances.

0 Karma

bharathkumarnec
Contributor

We have a lot of indexers, we need to add this to all the indexers??/

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@Hemnaath If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jhall0007
Path Finder

Was this issue causing any impact that you could identify? I am seeing a similar issue but I do not want to give users access to my indexers.

0 Karma

Hemnaath
Motivator

No it did not cause any issues.

renjith_nair
SplunkTrust
SplunkTrust

Looks like a LDAP configuration issue,

See if this answer helps

https://answers.splunk.com/answers/5415/how-can-i-append-basedn-to-member-uid-mappings-when-using-ld...

Happy Splunking!
0 Karma

Hemnaath
Motivator

hey renjith, thanks for your support on this, I am getting this error for only few users not all the users configured in the splunk via ldap. So as per Simon'S answer where/which location I should update the code, could you please guide me on that.

<code>groupMappingAttribute = uid
</code>
0 Karma

nikgoyal
New Member

Hemnaath are you able to resolve this issue. I have started facing this where in some users are unable to login. Not on consistent basis.

0 Karma

Hemnaath
Motivator

Hi Nikgoyal, Yes we were able to resolve this issue, by configuring all the LDAP group in the indexer instance same as search head instances.

0 Karma

Hemnaath
Motivator

hey can i get any help on this ...

0 Karma

sudosplunk
Motivator

Hello, I had the same problem with 6.5.1, 6.5.2 and 6.5.3 (occasionally).
I noticed it only happens when we are running Real-time searches.

0 Karma

Hemnaath
Motivator

hey we are using 7.0.4 splunk version, but how did you fix the issue ? If you can share the knowledge it would be helpful as I could see some 2000 errors in splunkd.log related to this.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust
0 Karma

sudosplunk
Motivator

I am not sure if this behavior is still seen in 7.0.4. Please check if "real-time" searches are actually the culprits? Go to "Job Manager" page (Activity -> Jobs) to see if there are any real-time searches running. Kill the search to see if errors stopped.

0 Karma

Hemnaath
Motivator

Hi Nittala, I have seen some Jobs being executed by some users and those user details are getting popped in the splunkd.log as an Error, to validated I had followed above direction as mentioned on your comment and found those user Jobs where either completed or running stage in Activity-Jobs. But when checked with user on the same found that he did not execute any real-time search and he had checking data related past 7 days. So what will be the next step to this issue.

0 Karma

sudosplunk
Motivator

I would suggest opening a support ticket with splunk. They can assist you better after analyzing diag file.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...