Security

Why are users from an LDAP Authenticated group not showing up?

vxb4892
Engager

We have created a group through our Active Directory team that contains ~6000 users. We have mapped this group through LDAP authentication on a single Splunk instance as we would normally do with any other AD group. However users that belong to this newly created group are unable to login.

If I check the settings for this user group the "LDAP Users" field is entirely blank. This occurrence only appears for this particular group, all others have their LDAP Users field populated appropriately. We have checked in the AD and all the users that should be in the group are correctly listed, but why are they not rendering in Splunk?

0 Karma

vxb4892
Engager

The issue addressed in this question was resolved with the assistance of a Splunk Support Case.

0 Karma

mh0712
New Member

Do you get a solution for this problem?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@vxb4892, To help future readers, please describe how you resolved the problem then accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

pradeepkumarg
Influencer

Did you try reload auth? or restart splunk instance?
If you have groupBaseFilter defined, ensure the new group falls under those filters.

0 Karma

vxb4892
Engager

Yes we have reloaded authentication and restart the splunk instance. groupBaseFilter is defined and the group we are authenticating belongs to that definition.

0 Karma

pradeepkumarg
Influencer

anything in splunkd.log for failed authentication?

0 Karma

vxb4892
Engager

We have set logging for ScopedLDAPConnection to DEBUG and it looks as if the attributes are all being added and loading correctly however we do see a LDAP server warning: Size limit exceeded warning appear on the group mapping page.

Our AD team has set the LDAP size limit to 1000, which would explain why maybe we're not able to see the 6000 users coming through, but there is no pageSize value for us to set on the Splunk side, nor has setting the search size parameter or the max_users_to_precache parameter to anything higher than 1000 worked for us.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...