Error in Splunkd.log: UserManagerPro - Failed to L...

bnorthway · ‎05-28-2015

In my splunkd.log, these messages repeat constantly (several times per minute). I turned on INFO-level logging to see if the extra information is useful. This user, "bnorthway", is an OS user (Linux), but not an LDAP user. There also used to be a Splunk (non-LDAP) user, but this account has been deleted.

Why is Splunk trying to find this account on the LDAP server? How can I stop this?

ERROR AuthenticationManagerLDAP - Could not find user="bnorthway" with strategy="<domain>"
ERROR UserManagerPro - Failed to get LDAP user="bnorthway" from any configured servers
INFO  UserManagerPro - No user context available while checking capability=, auditInfo=""

rajanala · ‎02-09-2016

If the user bnorthway owns/created any Splunk artifacts ( like scheduled searches, alerts, etc) , you can change the ownership from bnorthway to nobody.

For example: To change the ownership for searches owned/created by bnorthway
Search for the user in local.meta under $SPLUNK_HOME/etc/apps/search/metadata/
replace all occurrences of owner = bnorthway to owner=nobody

sk314 · ‎05-28-2015

As per the documentation, Splunk will check against all configured access strategies. By default, it searches Splunk local users first and then any other strategy configured.
(Ref: http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkToUsePAMOrRADIUSAuthentic... )

bnorthway · ‎09-24-2015

Where would I find the configuration that is attempting to find this user?

Error in Splunkd.log: UserManagerPro - Failed to LDAP user -- for a deleted user!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases