https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73465#M2427 <P>LDAP "Group base DN"</P> <PRE><CODE>OU=Corporate,OU=Groups,DC=OUR,DC=COMPANY,DC=COM </CODE></PRE> <P>"Static group search filter"</P> <PRE><CODE>(|(CN=Splunk*)(CN=UNIX*)(CN=WINTEL*)) </CODE></PRE> <P>This pulls all the groups starting with Splunk, UNIX and WINTEL.</P> <P>You could also do something with wildcards.</P> <PRE><CODE>(|(CN=Splunk*)(CN=*UNIX*)(CN=*WINTEL*)) </CODE></PRE> <P>This pulls all the groups starting with Splunk, and contains UNIX or WINTEL.</P> Mon, 23 Sep 2013 18:36:01 GMT dfronck 2013-09-23T18:36:01Z https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73463#M2425 <P>Is there a way to specify multiple group search filters for multiple groups? Currently we have this (sAMAccountName = ISD TSS Management) but is there a way to specify additional groups in this filter?</P> Mon, 25 Mar 2013 17:04:41 GMT https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73463#M2425 aaronkorn 2013-03-25T17:04:41Z https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73464#M2426 <P>We specify multiple AD groups in "Group base DN" field under "Group settings" as 'cn=admingrp,ou=...;cn=usergrp,ou=...'. We do not use "Static group search filter.</P> <P>The groups are then mapped to each local Splunk role for access control.</P> <P>The "User base filter" is defined as follow:</P> <P>(&amp;(objectCategory=Person)(sAMAccountName=*))</P> Mon, 25 Mar 2013 17:44:42 GMT https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73464#M2426 yungm 2013-03-25T17:44:42Z https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73465#M2427 <P>LDAP "Group base DN"</P> <PRE><CODE>OU=Corporate,OU=Groups,DC=OUR,DC=COMPANY,DC=COM </CODE></PRE> <P>"Static group search filter"</P> <PRE><CODE>(|(CN=Splunk*)(CN=UNIX*)(CN=WINTEL*)) </CODE></PRE> <P>This pulls all the groups starting with Splunk, UNIX and WINTEL.</P> <P>You could also do something with wildcards.</P> <PRE><CODE>(|(CN=Splunk*)(CN=*UNIX*)(CN=*WINTEL*)) </CODE></PRE> <P>This pulls all the groups starting with Splunk, and contains UNIX or WINTEL.</P> Mon, 23 Sep 2013 18:36:01 GMT https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73465#M2427 dfronck 2013-09-23T18:36:01Z https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73466#M2428 <P><CODE>(CN=Splunk*)</CODE><BR /> This syntax worked fine for us to only display groups for mapping that begin with "Splunk"; but, the <STRONG>BIG</STRONG> difference is the <STRONG>groups have to be populated with users</STRONG> or Splunk produces a cryptic error stating that it can't find any groups with the search criteria. The better error would be that I can't find any groups WITH USERS IN IT with the search criteria. Limiting the DN of the group produces the same error if the group is empty.</P> <P>It seems like a Splunk proces logic flaw. On every system for 25years the process is: Create Groups &gt; Map Roles &gt; Populate groups with users and test.<BR /> ,<CODE>(CN=Splunk*)</CODE><BR /> This syntax worked fine for us to only display groups for mapping that begin with "Splunk"; but, the <STRONG>BIG</STRONG> difference is the <STRONG>groups have to be populated with users</STRONG> or Splunk produces a cryptic error stating that it can't find any groups with the search criteria. The better error would be that I can't find any groups WITH USERS IN IT with the search criteria. Limiting the DN of the group produces the same error if the group is empty.</P> <P>It seems like a Splunk proces logic flaw. On every system for 25years the process is: Create Groups &gt; Map Roles &gt; Populate groups with users and test.</P> Wed, 25 Jan 2017 16:14:53 GMT https://community.splunk.com/t5/Security/Specifying-multiple-LDAP-static-group-filters/m-p/73466#M2428 3johnson 2017-01-25T16:14:53Z