Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

splunkd.log UserManagerPro LDAP warning with blank username

mfrost8
Builder
‎03-29-2017 09:51 AM

We use LDAP authentication for users on our Splunk instances. I'm trying to keep an eye on users who no longer exist (orphaned searches, but also user dirs that are 'dead').

Occasionally, I see the following show up in the logs:

03-29-2017 11:27:14.140 -0500 ERROR UserManagerPro - Failed to get LDAP user="" from any configured servers

That is, the user field is blank. I can't see how I could have a blank user in Splunk. Does anyone know how this might happen? I'd like to clean it up if I can.

Thanks!

0 Karma
Reply

brreeves_splunk
Splunk Employee
Splunk Employee
‎03-30-2017 08:32 AM

These references come from savedsearches that were previously assigned to a now disabled user. You can track these down by running Splunk in Debug for searches for a bit, then let them run. Next, in the splunkd log you'll see the SID of the search trying to run. That way you can track it back to the search and either re-assign it or delete it.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Enabledebuglogging#Enable_debug_l...

Reply

brreeves_splunk
Splunk Employee
Splunk Employee
‎03-29-2017 10:48 AM

If you look at the events around that one, does it talk about what search or activity it is trying to complete with that user?

0 Karma
Reply

mfrost8
Builder
‎03-29-2017 12:50 PM

Why didn't I think of that? 🙂

Just prior I see

03-29-2017 14:06:11.948 -0500 WARN  HttpListener - Socket error from 1.2.3.4 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
03-29-2017 14:06:13.153 -0500 WARN  HttpListener - Socket error from 1.2.3.5 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
3-29-2017 14:06:13.543 -0500 ERROR ScopedLDAPConnection - Invalid search filter: Attribute and value must be non-empty. Attempted to constrain attribute="samaccountname" to value=""
03-29-2017 14:06:13.612 -0500 ERROR ScopedLDAPConnection - Invalid search filter: Attribute and value must be non-empty. Attempted to constrain attribute="samaccountname" to value=""
03-29-2017 14:06:13.612 -0500 ERROR UserManagerPro - Failed to get LDAP user="" from any configured servers

I think we have some internal tool that is scanning servers and attempting to break in on any ports it can find. Just to see, I tried going to the web interface and hitting enter without entering a userid or password to see if that would generate this and it did not.

I guess there's something about the way this is hitting the port that is triggering an LDAP search with no user information.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...