Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk LDAP authentication with Active Directory

ssankeneni
Communicator
‎01-14-2013 01:07 PM

I'm unable to authenticate Splunk LDAP with the Active directory. I'm able to save my LDAP configuration and pull the users for a group. I have matched the role with the user group, but I'm unable to login to splunk using my AD credentials.

My authentication file.

[cacheTiming]
userLoginTTL = 1
getUserInfoTTL = 1
getUsersTTL = 1

[authentication]
authSettings = Active_directory
authType = LDAP

[roleMap_Active_directory]
admin = Splunk_Admins_Test

[Active_directory]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = splunkserviceaccount

bindDNpassword = password
charset = utf8
groupBaseDN = CN=Users,DC=Mydomain, DC=com
groupBaseFilter = (&(objectCategory=group)(name=Splunk_Admins_Test))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = hostid
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=Mydomain, DC=com
userBaseFilter = (&(objectCategory=person)(objectClass=user))
userNameAttribute = samaccountname

When I ran this command my results are empty.
ldapsearch -x –h –p –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

ldapsearch -x –h –p –D "bind_dn" -w "bind_passwd" –b "group_basedn" "groupNameAttribute=*"

My log files indicate that it is unable to find the user

01-14-2013 15:46:38.726 -0600 ERROR AuthenticationManagerLDAP - Could not find user="ssanke" with strategy="Active_directory"
01-14-2013 15:46:38.727 -0600 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="ssanke" on any configured servers

Can any one point me where the error might be ?

Reply

wdprobradw
New Member
‎02-18-2015 01:45 PM

Gravedigging, I know. I ran into this and had a heck of a time figuring it out. We could map groups and users, and have nested security groups all over the place, BUT some users could not log in, even though we could see them in the Splunk UI as a member of the group(s) we were adding. Turns out that the users that could not log in, did not have an Active Directory DisplayName! The LDAP query would choke and die for those users, while users with DisplayNames would be able to log in. We changed the "realNameAttribute" to "samaccountname" and the users were immediately able to log in. The only side effect is that their login name is shown at the top of the UI rather than their full name, but with thousands of possible users, and the potential of this cropping up in the future, we're keeping the "samaccountname" and calling it a day.
Working config, non-SSL:

authentication.conf:
[roleMap_MGMT-SE]
admin = SE-GROUP

[authentication]
authSettings = MGMT-SE,MGMT-USERS
authType = LDAP

[roleMap_MGMT-USERS]
splunktier1 = SplunkTier1
splunktier2 = SplunkTier2
splunktier3 = SplunkTier3

[MGMT-SE]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=_splunksvc,OU=Service_Accounts,DC=mgmt,DC=com
bindDNpassword = (removed)
charset = utf8
emailAttribute = mail
groupBaseDN = CN=SE-GROUP,OU=Teams,OU=Security_Groups,DC=mgmt,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.server.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = samaccountname
sizelimit = 4000
timelimit = 15
userBaseDN = DC=mgmt,DC=com
userNameAttribute = samaccountname

[MGMT-USERS]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=_splunksvc,OU=Service_Accounts,DC=mgmt,DC=com
bindDNpassword = (removed)
charset = utf8
emailAttribute = mail
groupBaseDN = OU=User_Groups,OU=Security_Groups,DC=mgmt,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.server.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = samaccountname
sizelimit = 4000
timelimit = 15
userBaseDN = DC=mgmt,DC=com
userNameAttribute = samaccountname

0 Karma
Reply

clymbouris
Path Finder
‎01-15-2013 12:49 AM

This works without SSL as well.

Here's my working config, it be of might help..

bindDN = CN=ldapquery,OU=Services,DC=test,DC=com
bindDNpassword = aPassword
charset = utf8
groupBaseDN = CN=Splunk_Admins,OU=Groups,DC=test,DC=com;CN=Splunk_Power_Users,OU=Groups,DC=test,DC=com;CN=Splunk_Users,OU=Groups,DC=test,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = testDC.test.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=MyUsers,DC=test,DC=com
userNameAttribute = samaccountname

Reply

ssankeneni
Communicator
‎01-15-2013 09:55 AM

thanks for reply! This config is not working

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-14-2013 01:36 PM

I believe when trying to authenticate to AD, SSL is required. Try modifying these settings.

SSLEnabled = 1
port = 636

You can also try using ldapsearch: ldapsearch -x -H ldaps://ldap_host -D "bind_dn" -W -b "user_basedn" "(samaccountname=*)" "cn"

Reply

ssankeneni
Communicator
‎01-14-2013 04:08 PM

The error while using SSL

Encountered the following error while trying to update: In handler 'LDAP-auth': strategy="Active_directory" Error binding to LDAP. reason="Can't contact LDAP server"

I tried by removing all the filters but still I'm unable to login. I even tried by using the (&(objectCategory=group)(!(grouptype=2)) filter.

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-14-2013 02:00 PM

After your previous update with errors, I think you need to remove the "userBaseFilter". Also for the groups, you will need to remove the "groupBaseFilter". When brought together, your user filter is "(&(samaccountname=%USER%)(objectCategory=person)(objectCategory=user))" and your group filter is "(&(cn=*)(objectCategory=group)(name=Splunk_Admins_Test))". Since it looks like your CN=Users contains BOTH groups and users, you will want to make your groupBaseFilter= "(&(objectCategory=group)(!(grouptype=2)))"

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎01-14-2013 01:46 PM

What error were you given?

Reply

ssankeneni
Communicator
‎01-14-2013 01:45 PM

When I tried to change it to SSL from the web interface it is giving me an error while saving.

Reply

ssankeneni
Communicator
‎01-14-2013 01:26 PM

I don't have an account with the same name

Reply

jonuwz
Influencer
‎01-14-2013 01:22 PM

Make sure you don't have an account in splunk with the same username - it'll use the splunk account with the same name before the LDAP account.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...