I've been attempting to configure Splunk to use some very large groups (>1500 members) to allow all users in my business unit to login, instead of having to add smaller groups individually. When I try to use these groups and turn the logging level for AuthenticationManagerLDAP up to "Debug" I get the following error message.
09-24-2013 14:19:23.861 -0700 DEBUG AuthenticationManagerLDAP - Skipping dynamic group DN="CN=Org-BUName-Employees,OU=Automated,OU=Distribution Lists,OU=Groups,DC=corp,DC=company,DC=com" with no values for member attribute
Investigating with ldapsearch I found that this is not a dynamic group as Splunk claims. Because it's so large querying the group returns the first 1500 group members with the attribute 'member;range=0-1499' instead of 'member' as Splunk expects. With a group this large multiple requests need to be made to get all the members with the attribute you're requesting being, 'member;range=0-1499', 'member;range=1500-2999', etc.
If I change groupMemberAttribute to "member;range=0-1499" I get the first 1500 users from the large group, but the rest are missing and I get no users from the smaller groups. If it was possible to specify multiple groupMemberAttributes I could fix this issue, but according to http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Authenticationconf this parameter only allows one value, not a list.
Update: While I still haven't come up with a solution I did come up with a work around that works in my case. We have mailing lists for both Organizations and Locations. So I setup the userBaseFilter to filter users who are members of the mailing lists for the organizations I want to allow to login to Splunk, and then in the roleMap section I used all the location mailing lists which are all under 1000 users each. Without the filter this would allow anyone to login, but with the organization filter those users won't be returned by AD.
... View more