topic Re: Account lockout when using LDAP authentication for users? in Security

Account lockout when using LDAP authentication for users?

chris_barrett — Wed, 02 Sep 2020 07:58:21 GMT

We have our authentication tied to AD using the LDAP strategy. Password complexity and lifetime is, as a result, handled by the requirements set by the AD Group Policy. But what about failed login attempts? If a user manages to type in their password incorrectly multiple times (or worse, someone tries to incorrectly guess a user's password multiple times), will it cause their account to become locked within Splunk (and possibly within the underlying OS too?)

Re: Account lockout when using LDAP authentication for users?

richgalloway — Wed, 02 Sep 2020 12:38:17 GMT

If someone is locked out of their LDAP account then they are also locked out of Splunk. However, Splunk is unaware of that. I merely asks the LDAP server if the user is authenticated and if the server responds with "no" then they are not allowed in.

The 'admin' user still has access to Splunk, however, since it is a local account.

If your OS also uses LDAP then the same applies there as well.

Re: Account lockout when using LDAP authentication for users?

chris_barrett — Sat, 05 Sep 2020 07:45:31 GMT

But what if the user (or someone else) types in the user's id and then fails to enter the correct password multiple times. Will the account become locked out?

The specific situation here is that the authentication is tied to the client's AD. If the wrong password is typed in for a user on the Splunk login page multiple (let's say 10 times), will the account become locked either within Splunk, or within AD, or both, or neither?

Re: Account lockout when using LDAP authentication for users?

isoutamo — Sat, 05 Sep 2020 08:01:19 GMT

Easiest way to check how it is configured on your environment is asking from your ad admins and/or just test it. I think that it depends how it is configured.
r. Ismo