Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

LDAP authentication with client certificates - SASL and TLS

vegitron
Engager
‎02-21-2013 03:15 PM

I'm trying to connect Splunk to and LDAP server that requires authentication with client x509 certificates.

Based on http://docs.splunk.com/Documentation/Splunk/latest/Security/TestyourLDAPconfiguration, I've been working with ldapsearch, a .ldaprc file, and trying to move the settings into splunk's authentication.conf and etc/openldap/ldap.conf.

This is the content of my ldap.conf file:

ssl start_tls
TLS_REQCERT demand
TLS_CERT [cert_path]/app.cert
TLS_KEY [cert_path]/app.key
TLS_CACERT [cert_pat]/ca.cert
TLS_CACERTDIR [cert_path]
SASL_MECH EXTERNAL

I have my system logging set to debug for AuthenticationManagerLDAP and ScopedLDAPConnection, and this is what I get:

02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Initializing with LDAPURL="ldap://[ldap_host]:389"
02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting anonymous bind
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Bind successful
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to read entry at DN="[dn]"
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to search subtree at DN="[dn]" using filter=""
02-21-2013 15:05:51.989 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Search duration="13.68 milliseconds"
02-21-2013 15:05:51.989 -0800 ERROR ScopedLDAPConnection - strategy="LDAP" Could not read invalid entry at DN="[dn]"
02-21-2013 15:05:51.989 -0800 ERROR AdminHandler:AuthenticationHandler - Could not find userBaseDN on the LDAP server: [dn]

From that, it looks like the client cert configuration, and the SASL EXTERNAL mechanism are being ignored. This configuration has worked with ldapsearch, and the perl libraries Net::LDAP and Authen::SASL.

Is it possible to use client certificates in this way with Splunk, and if so, what configuration am I missing?

thanks,
Patrick

Tags (3)
Reply

psow_splunk
Splunk Employee
Splunk Employee
‎03-26-2013 07:58 PM

Have you config the server.conf?

http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Securingyourdeploymentserverandclients

Take note:

Important: This requireClientCert is set to "false" by default. If you change it to true to force Splunk to check your client's certificates, Splunk Web and the CLI will also be checked for certificates. Your CLI connection will no longer work because your CLI is unable to present a certificate as a client

0 Karma
Reply

vegitron
Engager
‎03-27-2013 01:01 AM

That page doesn't describe ldap authentication.

I ended up using scripted authentication: http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Createtheauthenticationscript

With scripted authentication I was able to use a library that does LDAP TLS properly.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...