We are using Splunk 6.3.2 with a LDAP strategy (FreeIPA) which contains the following users and groups:
User "joe" is member of group "app_splunk_user"
Group "app_splunk_admin" is also member of group "app_splunk_user"
User "mike" is member of group "app_splunk_admin"
In other words:
"joe" -> "app_splunk_user" (maps to role "user")
"mike" -> "app_splunk_admin" (maps to role "admin") -> "app_splunk_user" (maps to role "user")
Splunk's user database shows only "mike" with the role "admin". The role "user" will never be used, even not for "mike". "joe" doesn't appear as well.
This is our configuration:
[authentication]
authSettings = freeipa
authType = LDAP
[roleMap_freeipa]
admin = app_splunk_admin
user = app_splunk_user
[freeipa]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = uid=splunk,cn=users,cn=accounts,dc=example,dc=com
bindDNpassword = topsecret
charset = utf8
emailAttribute = mail
groupBaseDN = cn=groups,cn=accounts,dc=example,dc=com
groupBaseFilter = (cn=app_splunk_*)
groupMappingAttribute = memberof
groupMemberAttribute = member
groupNameAttribute = cn
host = freeipa.example.com
nestedGroups = 1
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = cn=users,cn=accounts,dc=example,dc=com
userBaseFilter = (memberOf=cn=app_splunk_user,cn=groups,cn=accounts,dc=example,dc=com)
userNameAttribute = uid
These two lines from splunkd.log are interesting (sizelimit is "1000" at both ends, but Splunk still sends LDAP subtree requests with a sizelimit of 1):
01-20-2016 17:00:04.725 +0100 WARN ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=users,cn=accounts,dc=example,dc=com". reason="Size limit exceeded"
01-20-2016 17:00:04.729 +0100 WARN ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=groups,cn=accounts,dc=example,dc=com". reason="Size limit exceeded"
... View more