Security

How to get list of users removed from LDAP but are still available in Splunk user directories

newbie2tech
Communicator

Hi Team,

In my implementation splunk is integrated with LDAP authentication, users who left the organizations will be removed from the LDAP group as part of exit process form is submitted to LDAP group.

question is how do we get to know of that exited user in splunk so that we can do the clean up on splunk end(backing up/re-assigning/deleting his users directory) , especially those users who did not have any splunk artifacts (i.e. they were just looking up dashboards etc hence will not be listed as part of orphaned searches or objects).

Looking forward to you inputs.

Thank you!

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi newbie2tech,

This is not a Splunk problem, but more an process/organisational problem. Easiest fix: get the form that is submitted to the LDAP group also submitted to the Splunk group - done.

Of course there are ways to use Splunk queries and compare them to the AD users and such. But this will be more of a work around rather than fixing the cause.

Might not be the expected answer, but at least it will give you something to start/think about.

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi newbie2tech,

This is not a Splunk problem, but more an process/organisational problem. Easiest fix: get the form that is submitted to the LDAP group also submitted to the Splunk group - done.

Of course there are ways to use Splunk queries and compare them to the AD users and such. But this will be more of a work around rather than fixing the cause.

Might not be the expected answer, but at least it will give you something to start/think about.

cheers, MuS

0 Karma

newbie2tech
Communicator

Thanks MuS for the quick response, yes i agree it isn't splunk problem and more of process thing. I was hoping to get details on those splunk queries and compare them with AD users.

I noticed your response in other threads to use below rest api to get the list of users active in LDAP and put them in summary index and run queries against them to find any exited users...would you recommend the same in my case.

| rest /services/authentication/httpauth-tokens splunk_server=local

Please let me know when user is removed in LDAP will we have any sort of error in any of the splunk logs that i can generate a report on Or it is just above method?Also when the user is removed in LDAP in Splunk GUI automatically the exited user will not be listed right?

0 Karma

MuS
SplunkTrust
SplunkTrust

You will not get any error messages except any possible orphan knowledge objects.
The user will not be listed in Splunk after being removed from AD, once authentication was refreshed otherwise the user is still cached in Splunk.
the REST call will give you the current logged on users, so to get the difference over time you will have to use the summary events and do something like this:

 index=summary_ldap_events 
 | search NOT [ | ldapsearch .... ]

this will query the AD and compares it with the summary events, showing the users that are NOT in AD anymore.

cheers, MuS

0 Karma

newbie2tech
Communicator

Thank you MuS for further details, this helps me better understand now. However i have below 3 questions per your response.

Do we not have a way using REST api call to get all the splunk users in LDAP(who are not removed) instead of who are currently logged in? Because good number of users might be logging in once a week or few times a month, how do we accomodate them.

Also if we were to go with api call that gives the current logged user, the scheduled search running this api call , what is good frequency to run this search, seems like multiple times a day(hourly once atleast?)

Also what would be the time range that we need to choose for running the search query that you gave in above comment? ( index=summary_ldap_events | search NOT [ | ldapsearch .... ]) ...i would think it would be whatever the time range which we think all the users might have logged in, is it?

Once user is removed in LDAP, do we need to accomodate explicitly authentication refresh on splunk end ? is it one of the config setting as part of LDAP auth setup or it is taken care out of the box.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...