https://community.splunk.com/t5/Security/LDAP-User-Base-Filter/m-p/73335#M2424 <P>LDAP filters don't work on OU membership, but on attributes of the entries in the directory. There's some good docs on how they work at <A href="http://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-LDAP_Search_Filters.html">http://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-LDAP_Search_Filters.html</A> . </P> <P>If you can associate an attribute with all of your 'inactive' users, then you can filter on it. For example, you can extend your schema with a new objectclass of "inactiveAccount" and then do a search filter on:</P> <PRE><CODE>(!(objectclass=inactiveAccount)) </CODE></PRE> <P>The suckage here is that you have to update all of those accounts and assign that objectclass to them. </P> <P>Or, if this is active directory (or another directory that assigns pseudo-attributes based on group membership), then you could create an 'inactiveAccounts' group and put everyone in it, then filter by:</P> <PRE><CODE>(!(memberOf=inactiveAccounts)) </CODE></PRE> <P>Neither of these approaches really provides a lot of winnage though, because you have to do something to every account that gets put into inactive. Perhaps move your "ou=inactive" out to be a peer of "ou=people" instead of a child of it?</P> Wed, 13 Jun 2012 18:29:50 GMT dwaddle 2012-06-13T18:29:50Z https://community.splunk.com/t5/Security/LDAP-User-Base-Filter/m-p/73334#M2423 <P>I noticed these errors in my splunkd log:</P> <P>06-12-2012 16:54:49.652 +0000 ERROR UserManagerPro - Failed to get LDAP user="Yoda" from any configured servers<BR /> 06-12-2012 16:54:49.680 +0000 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="Yoda". Search filter="(uniquemember=uid=Yoda,ou=inactive,ou=people,dc=mydomain,dc=com)" strategy="LDAPAuth"</P> <P>These errors are for multiple users that have since departed. I believe the issue is the following:</P> <P>Our User Base DN is setup as follows for Splunk Authentication:</P> <PRE><CODE> ou=people,dc=mydomain,dc=com; </CODE></PRE> <P>However in LDAP under ou=people we also have another ou called "ou=inactive". This ou contains users who have since departed. </P> <P>I'd like to tell splunk to not even look in ou=inactive. I noticed there is User Base Filtering. My question is, if I put in "ou=inactive" would it filter this out? From the description of what this does, it sounds like the opposite.</P> <PRE><CODE>Enter the User base filter for the object class you want to filter your users on. This is recommended to return only applicable users. For example: (department=IT). Default value is empty, meaning no user entry filtering. </CODE></PRE> <P>How can you filter out an ou that is in another ou for ldap authentication?</P> Tue, 12 Jun 2012 18:54:09 GMT https://community.splunk.com/t5/Security/LDAP-User-Base-Filter/m-p/73334#M2423 gnovak 2012-06-12T18:54:09Z https://community.splunk.com/t5/Security/LDAP-User-Base-Filter/m-p/73335#M2424 <P>LDAP filters don't work on OU membership, but on attributes of the entries in the directory. There's some good docs on how they work at <A href="http://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-LDAP_Search_Filters.html">http://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-LDAP_Search_Filters.html</A> . </P> <P>If you can associate an attribute with all of your 'inactive' users, then you can filter on it. For example, you can extend your schema with a new objectclass of "inactiveAccount" and then do a search filter on:</P> <PRE><CODE>(!(objectclass=inactiveAccount)) </CODE></PRE> <P>The suckage here is that you have to update all of those accounts and assign that objectclass to them. </P> <P>Or, if this is active directory (or another directory that assigns pseudo-attributes based on group membership), then you could create an 'inactiveAccounts' group and put everyone in it, then filter by:</P> <PRE><CODE>(!(memberOf=inactiveAccounts)) </CODE></PRE> <P>Neither of these approaches really provides a lot of winnage though, because you have to do something to every account that gets put into inactive. Perhaps move your "ou=inactive" out to be a peer of "ou=people" instead of a child of it?</P> Wed, 13 Jun 2012 18:29:50 GMT https://community.splunk.com/t5/Security/LDAP-User-Base-Filter/m-p/73335#M2424 dwaddle 2012-06-13T18:29:50Z