topic Re: AD Impossible Authentication even if groups are retrieved in Security

AD Impossible Authentication even if groups are retrieved

rxlsplunk — Tue, 29 Sep 2020 17:32:51 GMT

We are trying to add LDAP accounts in our Splunk Enterprise 7.0.1
We can see that Splunk is retrieving the groups and the users of the groups (in Map Groups) but even after adding all the roles, it is impossible to login with an AD user.

The users don't appear in the Users menu.

Here is our configuration :

[authentication]
authSettings = TEST
authType = LDAP

[roleMap_TEST]
admin = ADMIN_AD
can_delete = ADMIN_AD
power = ADMIN_AD
splunk-system-role = ADMIN_AD
test_syslog = ADMIN_AD
user = ADMIN_AD
windows-admin = ADMIN_AD
winfra-admin = ADMIN_AD

[TEST]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = account
bindDNpassword = pass
charset = utf8
emailAttribute = mail
groupBaseDN = OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX
groupMappingAttribute = distinguishedname
groupMemberAttribute = member
groupNameAttribute = cn
host = hostname
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 20000
timelimit = 15
userBaseDN = OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX
userNameAttribute = samaccountname

Here are the relevant logs that we found in splunkd.log (we've already tried to increase the size limit):

01-11-2018 11:17:10.503 +0100 WARN ScopedLDAPConnection - strategy="TEST" LDAP Server returned warning in search for DN="OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX". reason="Size limit exceeded"
01-11-2018 11:17:10.505 +0100 WARN ScopedLDAPConnection - strategy="TEST" LDAP Server returned warning in search for DN="OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX". reason="Size limit exceeded"
01-11-2018 11:17:38.736 +0100 INFO AuthenticationManagerLDAP - Could not find user="adminuser" with strategy="TEST"
01-11-2018 11:17:38.736 +0100 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="adminuser" on any configured servers
01-11-2018 11:17:38.736 +0100 ERROR UiAuth - user=adminuser action=login status=failure reason=user-initiated useragent="xx" clientip=XX.XX.XX.XX

Thank you

Re: AD Impossible Authentication even if groups are retrieved

nickhills — Thu, 11 Jan 2018 13:23:31 GMT

Clearly you groupbaseDN is correct, as you can map groups, but you should also confirm that your userBaseDN would include the relevant user accounts.

In a complex AD structure this is easy to overlook.

The second issue is the report that the LDAP server is hitting the 1000 result limit.
This is not the limit in Splunk (which you can also set) but a Domain Controller limitation.

If you directory has more than 1000 users, its possible that your users are not in the first 1000 results returned by the DC, and thus never get 'found'

There are two options available to you:
1.) Adjust the AD limit of 1000 results - but be aware this can impact your AD for very large queries:
https://blogs.technet.microsoft.com/qzaidi/2010/09/01/override-the-hardcoded-ldap-query-limits-introduced-in-windows-server-2008-and-windows-server-2008-r2/
2.) Narrow your userBaseDN to limit the number of users < 1000

Re: AD Impossible Authentication even if groups are retrieved

rxlsplunk — Thu, 11 Jan 2018 15:34:12 GMT

We are sure that our userBaseDN includes the relevant user account.

In the selected OU we don't have more that 1000 objects so I'm not sure to understand why we exceed the limit.

Thanks anyway

Re: AD Impossible Authentication even if groups are retrieved

nickhills — Thu, 11 Jan 2018 16:51:06 GMT

I just took another look at your config.

You have groupMappingAttribute = distinguishedname
Try : groupMappingAttribute = dn

Re: AD Impossible Authentication even if groups are retrieved

rxlsplunk — Fri, 12 Jan 2018 08:14:46 GMT

Thanks, I've tried it, it still doesn't work.

Re: AD Impossible Authentication even if groups are retrieved

nickhills — Tue, 29 Sep 2020 17:33:59 GMT

Here is my working config - there are a few differences, but that may be due to your redaction etc.

[my_scheme]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=Splunk User,OU=Splunk,OU=SomeOU,OU=SomeOU,DC=domain,DC=com
bindDNpassword = $1$someencryptedPassword=
charset = utf8
emailAttribute = mail
groupBaseDN = DC=domain,DC=com
groupBaseFilter = (CN=splunk_*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc.domain.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=my_users,DC=domain,DC=com
userNameAttribute = samaccountname