Hi Splunkers, I am seeing some 2023 event counts for the below mentioned error detail in splunkd.log in all the indexer instances, so can any one guide me how /where to start the investigation on fixing this issue.
ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"
Splunk Version : 7.0.4
Check if the user belongs to groups which have permissions to access Splunk.
Hi All, When troubleshooting this issue with the help of splunker from splunk.answers.com , I had narrow down the issue and fixed it.
In this case the indexer and search head instances the LDAP configuration are different, in indexer instance only Splunk_Admin ldap group was configured, where as in search head we had other LDAP groups configured due to this when ever any user mapped apart from splunk_admin groups performs search activities it was throwing an error in splunkd.log due to the configuration conflict.
Problem Detail:
ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"
Solution: Configured all the LDAP group in the indexer instance same as search head instances.
We have a lot of indexers, we need to add this to all the indexers??/
@Hemnaath If your problem is resolved, please accept an answer to help future readers.
Was this issue causing any impact that you could identify? I am seeing a similar issue but I do not want to give users access to my indexers.
No it did not cause any issues.
Looks like a LDAP configuration issue,
See if this answer helps
hey renjith, thanks for your support on this, I am getting this error for only few users not all the users configured in the splunk via ldap. So as per Simon'S answer where/which location I should update the code, could you please guide me on that.
<code>groupMappingAttribute = uid
</code>
Hemnaath are you able to resolve this issue. I have started facing this where in some users are unable to login. Not on consistent basis.
Hi Nikgoyal, Yes we were able to resolve this issue, by configuring all the LDAP group in the indexer instance same as search head instances.
hey can i get any help on this ...
Hello, I had the same problem with 6.5.1, 6.5.2 and 6.5.3 (occasionally).
I noticed it only happens when we are running Real-time searches.
hey we are using 7.0.4 splunk version, but how did you fix the issue ? If you can share the knowledge it would be helpful as I could see some 2000 errors in splunkd.log related to this.
https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME
I am not sure if this behavior is still seen in 7.0.4. Please check if "real-time" searches are actually the culprits? Go to "Job Manager" page (Activity -> Jobs) to see if there are any real-time searches running. Kill the search to see if errors stopped.
Hi Nittala, I have seen some Jobs being executed by some users and those user details are getting popped in the splunkd.log as an Error, to validated I had followed above direction as mentioned on your comment and found those user Jobs where either completed or running stage in Activity-Jobs. But when checked with user on the same found that he did not execute any real-time search and he had checking data related past 7 days. So what will be the next step to this issue.
I would suggest opening a support ticket with splunk. They can assist you better after analyzing diag file.