I have recently configured splunk to use ldap authentication. The configuration is pretty straight forward, I can see the AD group and the AD group member from splunk and map it with splunk role but somehow it failed to authentication.
The only errors I can find in the splunkd log are as below. Question 1: If it is working fine, I need to put only username "_splunk" without the domain prefix and postfix right?
09-013-2016 17:09:52.454 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="_splunk" on any configured servers
09-013-2016 17:13:18.432 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="test_splunk" on any configured servers
09-013-2016 17:15:11.330 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="_splunk@test.com" on any configured servers
My authentication.conf:
[authentication]
authSettings = testldap
authType = LDAP
[testldap]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=_splunk,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
bindDNpassword = $1$56ExJUjhTyFZzzzxZC
charset = utf8
emailAttribute = mail
groupBaseDN = CN=TEST-SPL-ADMIN,OU=Server Group,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc.test.com
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 3000
timelimit = 15
userBaseDN = CN=TEST-SPL-ADMIN,OU=Server Group,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
userNameAttribute = samaccountname
[roleMap_testldap]
admin = TEST-SPL-ADMIN
Note:
-I have tried to disable SSL and use port 389 for binding but no help.
have tried to use domain admin account "_testadmin" as bindDN but not help.
have used a newly created domain account "_splunk" with read only permission to the AD group "TEST-SPL-ADMIN", add this account to windows authorization access group in the specify domain controller but no help.
-In the quick testing, I have domain admin account "_testadmin" added as group member of the AD group "TEST-SPL-ADMIN" which I would like to use for authentication. This same with another account I used to test binding "_splunk", it is a member of the AD group "TEST-SPL-ADMIN" aslo. My bindDN I tried are "CN=_splunk,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com" and "CN=_testadmin,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com"
Any solution or hint to troubleshoot it will be much appreciated. Thanks in advance.
... View more