Splunk Search

Can I map multiple groups to be bound to one role?

daniel333
Builder

All,

Can I map multiple AD groups to one role in authentication.conf? Example?

0 Karma
1 Solution

nareshinsvu
Builder

@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.

groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.

Working example below: authentication.conf

[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname


[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2

View solution in original post

0 Karma

nareshinsvu
Builder

@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.

groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.

Working example below: authentication.conf

[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname


[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...