https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72276#M2374 <P>Hi,</P> <P>I am trying to configure an Splunk's authentication by LDAP.</P> <P>I have already registered LDAP server and mapped group and role in my Splunk 4.3.2.</P> <P>It seems Splunk and LDAP server communicates. However, when I tried to login with a user registered in LDAP, the login failed.</P> <P>I would like to troubleshoot this, but there is not much information about the log file to take a look at for the LDAP authentication troubleshooting regarding Splunk/LDAP Login.</P> <P>Could anyone point me to the log file or information under SPLUNK_HOME?</P> <P>Thanks,</P> Mon, 11 Jun 2012 13:35:51 GMT melonman 2012-06-11T13:35:51Z https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72276#M2374 <P>Hi,</P> <P>I am trying to configure an Splunk's authentication by LDAP.</P> <P>I have already registered LDAP server and mapped group and role in my Splunk 4.3.2.</P> <P>It seems Splunk and LDAP server communicates. However, when I tried to login with a user registered in LDAP, the login failed.</P> <P>I would like to troubleshoot this, but there is not much information about the log file to take a look at for the LDAP authentication troubleshooting regarding Splunk/LDAP Login.</P> <P>Could anyone point me to the log file or information under SPLUNK_HOME?</P> <P>Thanks,</P> Mon, 11 Jun 2012 13:35:51 GMT https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72276#M2374 melonman 2012-06-11T13:35:51Z https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72277#M2375 <P>hi melonman, </P> <P>as always a good starting point is splunkd.log, check for any authentication errors. Remove any custom values you've added for userBaseFilter and groupBaseFilter. Use ldapsearch to manually test that the variables you are specifying will return the expected entries:</P> <PRE><CODE>ldapsearch -x –h &lt;ldap_host&gt; –p &lt;ldap_port&gt; –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*" </CODE></PRE> <P>cheers,</P> <P>MuS</P> Mon, 11 Jun 2012 13:42:02 GMT https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72277#M2375 MuS 2012-06-11T13:42:02Z https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72278#M2376 <P>Thanks, MuS!</P> Mon, 18 Jun 2012 10:20:51 GMT https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72278#M2376 melonman 2012-06-18T10:20:51Z https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72279#M2377 <H1>This post will only help Windows/splunk/AD/LDAP people.</H1> <P>I am posting this with the hope it will save someone the pain I just went through.<BR /> first of all some of the examples work, some do not.<BR /> if the bind works splunkd will not have and error. If it does not, splunkd.log will have errors. bind username as to be domain username for domain that has LDAP/AD connection.<BR /> use ADEDIT to get LDAP info.</P> <P>first thing that is NOT mentioned anywhere that I was able to find in splunk answers<BR /> the bind username has to be added to the builtin Windows Authorization Access Group<BR /> This has to be done to allow splunk to validate user login.<BR /> So even after I got the conf file correct and could see groups, etc. I could not get the login to work...talk about days of screaming frustration.</P> <P>Second big discovery, is if one of your domain admins loves to organize, splunk (or LDAP) does not deal will with nested OUs. So if users are deep within nested OUs, you will have to do as I did. Give path (i.e. distinguisedName) for every "group/OU".<BR /> hope this helps someone even a little.</P> <P>at the bottom is a working authentication.conf file...with what should be obvious removal of company, domain information.</P> <H4>Basic LDAP configuration</H4> <P>[domaincontroller]<BR /> SSLEnabled = 0<BR /> anonymous_referrals = 1<BR /> bindDN = CN=splunkbind, CN=Users, DC=companynamesystems, DC=com<BR /> bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=<BR /> charset = utf8<BR /> userBaseFilter = (objectclass=*)<BR /> groupBaseDN = CN=Users, DC=companynamesystems,DC=com<BR /> groupMappingAttribute = dn<BR /> groupMemberAttribute = member<BR /> groupNameAttribute = cn<BR /> host = domaincontroller.companynamesystems.com<BR /> nestedGroups = 1<BR /> comwork_timeout = 20<BR /> port = 389<BR /> realNameAttribute = cn<BR /> sizelimit = 1000<BR /> timelimit = 15<BR /> userBaseDN = CN=Users, DC=companynamesystems, DC=com<BR /> userNameAttribute = samaccountname</P> <P>[authentication]<BR /> authSettings = domaincontroller,domainname<BR /> authType = LDAP</P> <P>[domainname]<BR /> SSLEnabled = 0<BR /> anonymous_referrals = 0<BR /> bindDN = splunkbind<BR /> bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=<BR /> charset = utf8<BR /> groupBaseDN = CN=splunk,DC=companyname,DC=com;<BR /> groupMappingAttribute = dn<BR /> groupMemberAttribute = member<BR /> groupNameAttribute = cn<BR /> host = domainnamedc02.companyname.com<BR /> nestedGroups = 1<BR /> comwork_timeout = 20<BR /> port = 389<BR /> realNameAttribute = cn<BR /> sizelimit = 1000<BR /> timelimit = 15<BR /> userBaseDN = OU=Sustained Engineering,OU=Corp,DC=companyname,DC=com;OU=Analytics,OU=Corp,DC=companyname,DC=com;OU=Customer Service,OU=Corp,DC=companyname,DC=com;OU=IT Staff,OU=Hyderabad,OU=Corp,DC=companyname,DC=com;OU=Management,OU=Corp,DC=companyname,DC=com;OU=Product Development,OU=Corp,DC=companyname,DC=com;OU=GlobalLogic,OU=Corp,DC=companyname,DC=com;OU=QA,OU=Corp,DC=companyname,DC=com;<BR /> userNameAttribute = samaccountname</P> <P>[roleMap_domainname]<BR /> admin = SplunkAdmin<BR /> user = SplunkUsers</P> <P>[roleMap_domaincontroller]</P> Mon, 28 Sep 2020 17:32:40 GMT https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72279#M2377 kfleming 2020-09-28T17:32:40Z https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72280#M2378 <P>I am so deeply grateful for this post - I think you just solved my problem.</P> Thu, 09 Mar 2017 20:56:30 GMT https://community.splunk.com/t5/Security/LDAP-authentication-troubleshooting-information/m-p/72280#M2378 robgarner 2017-03-09T20:56:30Z