topic Re: LDAP authentication in Splunk is not working in Security

LDAP authentication in Splunk is not working

jasonsun — Tue, 29 Sep 2020 11:00:27 GMT

I have recently configured splunk to use ldap authentication. The configuration is pretty straight forward, I can see the AD group and the AD group member from splunk and map it with splunk role but somehow it failed to authentication.

The only errors I can find in the splunkd log are as below. Question 1: If it is working fine, I need to put only username "_splunk" without the domain prefix and postfix right?
09-013-2016 17:09:52.454 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="_splunk" on any configured servers
09-013-2016 17:13:18.432 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="test_splunk" on any configured servers
09-013-2016 17:15:11.330 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="_splunk@test.com" on any configured servers

My authentication.conf:
[authentication]
authSettings = testldap
authType = LDAP

[testldap]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=_splunk,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
bindDNpassword = $1$56ExJUjhTyFZzzzxZC
charset = utf8
emailAttribute = mail
groupBaseDN = CN=TEST-SPL-ADMIN,OU=Server Group,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc.test.com
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 3000
timelimit = 15
userBaseDN = CN=TEST-SPL-ADMIN,OU=Server Group,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
userNameAttribute = samaccountname

[roleMap_testldap]
admin = TEST-SPL-ADMIN

Note:
-I have tried to disable SSL and use port 389 for binding but no help.

have tried to use domain admin account "_testadmin" as bindDN but not help.

have used a newly created domain account "_splunk" with read only permission to the AD group "TEST-SPL-ADMIN", add this account to windows authorization access group in the specify domain controller but no help.

-In the quick testing, I have domain admin account "_testadmin" added as group member of the AD group "TEST-SPL-ADMIN" which I would like to use for authentication. This same with another account I used to test binding "_splunk", it is a member of the AD group "TEST-SPL-ADMIN" aslo. My bindDN I tried are "CN=_splunk,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com" and "CN=_testadmin,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com"

Any solution or hint to troubleshoot it will be much appreciated. Thanks in advance.

Re: LDAP authentication in Splunk is not working

sk314 — Tue, 13 Sep 2016 21:21:13 GMT

Have you tried running the command ./splunk reload auth on your search heads and logging in again. Sometimes changes to AD take time to propagate. You might try after a while to see if it works. In any case, try reloading the auth before you try.

Re: LDAP authentication in Splunk is not working

jasonsun — Wed, 14 Sep 2016 03:11:07 GMT

Hi sk314, I have clicked "Reload authentication configuration" button from the Splunk web UI but the problem was still the same. The reload button actually do the same thing as running ./splunk reload auth command right?

Re: LDAP authentication in Splunk is not working

Richfez — Sat, 17 Sep 2016 14:13:22 GMT

Just a thought; there's a few hints on the interwebs of random things having issues with underscores. Could you try using all CNs, OUs and names without leading underscores to see what happens?

Re: LDAP authentication in Splunk is not working

jasonsun — Wed, 12 Oct 2016 09:09:24 GMT

Tested but this is not the cause. Thanks.

Re: LDAP authentication in Splunk is not working

jasonsun — Wed, 12 Oct 2016 09:16:07 GMT

Finally solved. The problem was due to userBaseDN value.
It should not be same as the value I set for groupBaseDN. Instead, it should be DN where AD user is first created, e.g OU=Users,OU=xx,OU=xx - xxxx,OU=xx - Users Computers Groups,OU=Organization Unit,DC=test,DC=com

Re: LDAP authentication in Splunk is not working

nilaysh — Wed, 21 Jul 2021 23:58:33 GMT

I had a service account that was failing authentication. We fixed the account OU and it still did not authenticate. Refreshing authentication configuration helped in refreshing the cache. Thank you very much!

Re: LDAP authentication in Splunk is not working

ShreeJ — Mon, 02 Aug 2021 16:12:25 GMT

Thankyou much..

It helped greatly. Past 3 days I was struggling without proper solution.

This simple answer helped me.
To add DN where AD user is first created.. ✅