topic Re: LDAP on AD not returning all groups - even with filtering in Security

LDAP on AD not returning all groups - even with filtering

FunPolice — Mon, 14 Feb 2011 10:28:54 GMT

I have successfully configured LDAP authentication, however while doing so I noticed that the "LDAP Groups" page wasn't displaying every group in the OU. I managed to get all of the groups that I needed at the time by filtering the groups more specifically with groupBaseFilter = (&(objectCategory=group)(name=IS Splunk*)).

Now I have added a new group to AD ("IS Splunk Users - Energy Tracking") and want to add it to Splunk, but Splunk does not list it. When I remove the "(name=IS Splunk*)" filter I get lots of groups, but none of the "IS Splunk" groups. When sorted by LDAP Group Name there is an "IS Server" and an "IS WTS" group, but nothing in between.

How do I get Splunk to "see" new groups? It has been three days since the group was created, so it has replicated to all DCs now. I am running 4.1.6 build 89596, and the current Authentication.conf contains:

[authentication]
authSettings = MyDomain.com
authType = LDAP

[MyDomain.com]
SSLEnabled = 0
bindDN = SplunkServiceAccount
bindDNpassword = password
charset = utf8
groupBaseDN = OU=Enterprise,DC=MyDomain,DC=com
groupBaseFilter = (&(objectCategory=group)(name=IS Splunk*))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = MyDC.MyDomain.com
port = 389
realNameAttribute = displayname
userBaseDN = DC=MyDomain,DC=com
userBaseFilter = (objectclass=user)
userNameAttribute = samaccountname

[roleMap]
admin = IS Splunk Administrators
can_delete = IS Splunk Administrators
firewall nerd = IS Splunk Administrators;IS Splunk Users - Firewalls
infrastructure nerd = IS Splunk Administrators;IS Splunk Users - Infrastructure
power = IS Splunk Administrators
unix nerd = IS Splunk Administrators;IS Splunk Users - Unix
user = IS Splunk Administrators
voice nerd = IS Splunk Administrators;IS Splunk Users - Mobiles

Re: LDAP on AD not returning all groups - even with filtering

LCM — Mon, 14 Feb 2011 10:56:15 GMT

Restart Splunk, is maybe a cache issue!?

Re: LDAP on AD not returning all groups - even with filtering

gkanapathy — Tue, 15 Feb 2011 05:37:07 GMT

Groups will only show up in the interface if they also contain users who meet the user filters. Are the groups empty, or do they not contain users from the indicated domain and filter?

Re: LDAP on AD not returning all groups - even with filtering

FunPolice — Mon, 21 Feb 2011 10:52:02 GMT

That's the trick - the group had no members yet. I hadn't expected that to break it. Thanks.

Re: LDAP on AD not returning all groups - even with filtering

dagryph — Wed, 18 Apr 2012 22:51:07 GMT

Hmm. I'm seeing the same issue where only 27 out of 29 security groups are showing up. Restart didn't help, resetting up the ldap config didn't change anything. This is happening on both 4.2 and 4.3.1.

Re: LDAP on AD not returning all groups - even with filtering

ruiaires — Tue, 29 May 2012 13:57:02 GMT

I'm having the same problem... LDAP shows 197 groups but there are more... All groups have users and they match the existing filters... This happens in 4.3.2

Re: LDAP on AD not returning all groups - even with filtering

eegilbert — Fri, 21 Dec 2012 20:36:33 GMT

I'm on 5.x and this was true for me too. My AD guy says this is a feature of Windows AD. /Upvoted

Re: LDAP on AD not returning all groups - even with filtering

gurlest — Tue, 05 Mar 2019 23:45:16 GMT

We were having a similar situation in our environment and the issue ended up being that the group in question lived in an Active Directory branch outside the defined groupBaseDN value. Once we added that branch to the groupBaseDN filter, access worked like a champ.

Original Value:

groupBaseDN = OU=Server_Groups,DC=Enterprise,DC=MyDomain,DC=com

Updated Value:

groupBaseDN = OU=Server_Groups,DC=Enterprise,DC=MyDomain,DC=com;OU=Access_Groups,DC=Enterprise,DC=MyDomain,DC=com