Security

How come the LDAP config is not picking up users directly under OU?

kannu
Communicator

Hello Splunkers,

I am having some issue with LDAP authentication.
The Issue is: i am having one domain that is abc.int.com under that domain i have one OU called Splunk in that OU i have many "usersid" .

"usersid" refers to persons name who needs access in Splunk through LDAP

So i am using the strings :
For user base DN :
ou=Splunk,dc=abc,dc=int,dc=com

and for group base dn .
dc=abc,dc=int,dc=com

but it's not picking up users. It's only picking up users under groups not under any OU.

Please help me !!!!

Tags (2)
0 Karma
1 Solution

JDukeSplunk
Builder

I can't give you a specific answer for this. However I can tell you how I got mine working.

Using ADExplorer or some other LDAP browser I nailed down the OU structure. I copy-pasted to ensure that I got the characters exactly. You can usually go into the properties of the object and copy it there.

This assumes users are in the following OU's.
OU=Users,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
OU=Expire,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
OU=WA-SEA,OU=America,OU=Sites,DC=domain,DC=com

And the group mappings will only show any group that begins with "Splunk"

Here is my working copy of my ..\etc\local\authentication.conf file. Which of course is populated from the GUI.

[LDAP Authentication to AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=splunkadsearch\, svc,CN=Users,DC=domain,DC=com
bindDNpassword = XXXXXXXX
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Security,OU=Groups,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
groupBaseFilter = (CN=Splunk*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = PDOM05.domain.com
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com;OU=Expire,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com;OU=WA-SEA,OU=America,OU=Sites,DC=domain,DC=com
userNameAttribute = samaccountname

Hope this helps.

View solution in original post

JDukeSplunk
Builder

I can't give you a specific answer for this. However I can tell you how I got mine working.

Using ADExplorer or some other LDAP browser I nailed down the OU structure. I copy-pasted to ensure that I got the characters exactly. You can usually go into the properties of the object and copy it there.

This assumes users are in the following OU's.
OU=Users,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
OU=Expire,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
OU=WA-SEA,OU=America,OU=Sites,DC=domain,DC=com

And the group mappings will only show any group that begins with "Splunk"

Here is my working copy of my ..\etc\local\authentication.conf file. Which of course is populated from the GUI.

[LDAP Authentication to AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=splunkadsearch\, svc,CN=Users,DC=domain,DC=com
bindDNpassword = XXXXXXXX
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Security,OU=Groups,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
groupBaseFilter = (CN=Splunk*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = PDOM05.domain.com
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com;OU=Expire,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com;OU=WA-SEA,OU=America,OU=Sites,DC=domain,DC=com
userNameAttribute = samaccountname

Hope this helps.

MuS
SplunkTrust
SplunkTrust

Hi kannu,

Check this answer https://answers.splunk.com/answers/50175/ldap-authentication-troubleshooting-information.html

Also increase the logging for the AuthenticationManagerLDAP and the ScopedLDAPConnection channel in Settings » Server settings » Server logging and check index=_internal for LDAP related messages.

Hope that helps ...

cheers, MuS

0 Karma

kannu
Communicator

@MuS ,

No Link which you have provided has diffrent issue , In my case i am able to connect to ldap ,

issue is ldap settings are picking up users which are mentioned under some group , but its not picking up users which are mentioned directly under OU .

0 Karma

MuS
SplunkTrust
SplunkTrust

Not exactly, the linked answer tells you to test the LDAP connection, and connection information with another tool and visually check the results for verification purpose.

Anyway, have a look at @JDukeSplunk answer how to setup multiple OU's for userBaseDN

cheers, MuS

0 Karma

ssadanala1
Contributor

for the group base dn , you need specify ou attribute
Your ldap configuration should resemble like this

groupBaseDN = ou=Groups,dc=splunksupport,dc=com;
*This is the Base of your Groups in LDAP. You can also specify multiple bases. For example: ou=Management,ou=Groups,dc=Splunkers,dc=com;ou=Consultants,ou=Groups,dc=Splunkers,dc=com;

For more Info

https://www.splunk.com/blog/2009/08/13/ldap-auth-configuration-tips.html

Hope it helps

0 Karma

kannu
Communicator

@ssadanala1 ,

Bro i am not having groups under any OU , After OU there are directly users , there is not group in between users and OU

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...