topic Re: Roles from LDAP (nested groups) in Security

Roles from LDAP (nested groups)

terago — Wed, 22 Jun 2011 20:47:15 GMT

When will Splunk support nested group membership from LDAP/Active Directory?

It's a real pain having to add users to the SPLUNK groups, vs using role based groups that are then inherited access via group memberships.

This is one of the huge benefits to having an LDAP backend.

Re: Roles from LDAP (nested groups)

jbsplunk — Thu, 23 Jun 2011 20:27:46 GMT

At this point, AFAIK, this is not an enhancement that is scheduled.

Re: Roles from LDAP (nested groups)

Glenn — Tue, 11 Oct 2011 12:57:43 GMT

Splunk is pretty bad in this area, I have had an enhancement request (45531) in for this functionality since Jul 8, 2010 7:08 AM (yes that's about 16 months) and it is still not scheduled to be included.

It wastes a couple of hours of time for a few people in my organisation each week, due to them having to assign individual members (new starters) to the groups, rather than them automatically being included for appropriate access via their team's role group. Over the course of the last 2 years this probably adds up to quite a large operating cost!

Please include this enhancement soon. How can we get its priority raised?

Re: Roles from LDAP (nested groups)

ithangasamy_spl — Tue, 11 Oct 2011 17:59:23 GMT

LDAP nested group support is going to be available in the next release of Splunk, which is currently in beta testing, you can request a copy for evaluation from PMs

Re: Roles from LDAP (nested groups)

Glenn — Tue, 11 Oct 2011 20:20:04 GMT

Sweet, thanks for the update.

Re: Roles from LDAP (nested groups)

Simon — Fri, 11 Nov 2011 08:36:34 GMT

As a workaround, you can set up an Apache and a crowd daemon, which provides the feature to deliver nested groups as flat ones (http://www.atlassian.com/software/crowd/overview). There is an Apache authentication module for crowd (http://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Apache) too. Using Splunk's SSO feature and these components above, you'll be able to use nested groups.
HTH.

Re: Roles from LDAP (nested groups)

darkavich — Thu, 12 Jan 2012 19:19:37 GMT

I just installed 4.3 today and it doesn't appear to be fixed. The only change I can tell is it now filters out the nested group name.

Re: Roles from LDAP (nested groups)

ithangasamy_spl — Thu, 09 Feb 2012 04:46:23 GMT

Can you please elaborate on your problem? OOTB, the nested group support is disabled in the LDAP strategy page, did you check the box labeled "Nested groups" ? If still not working send me a note.