https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82963#M2745 <P>Glad to hear it worked out!</P> Mon, 08 Oct 2012 14:54:57 GMT dart 2012-10-08T14:54:57Z https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82960#M2742 <P>Hi,</P> <P>I understand that Splunk 4.3.3 should support nested groups in Active Directory, according to <A href="http://blogs.splunk.com/2012/02/23/splunk-and-nested-groups-for-authorization/">this document</A>. However, I'm unable to get it working. I have set <CODE>nestedGroups=1</CODE>. I've also set <CODE>groupMemberAttribute=member</CODE>, (and tried without it as well), but it still won't work.</P> <P>Currently, I'm only testing this with one nested group.</P> <P><CODE>CN=it-infrastructure,OU=SPLUNK,OU=Application Groups,OU=Groups,DC=company,DC=domain,DC=tld</CODE> </P> <P>which has a member:</P> <P><CODE>CN=infrastructure-internal,OU=Organisational Groups,OU=Managed Groups,OU=Groups,DC=company,DC=domain,DC=tld</CODE></P> <PRE><CODE># authentication.conf: [AD] SSLEnabled = 0 anonymous_referrals = 1 bindDN = cn=svc-splunk-01,ou=Splunk,ou=Service Accounts,ou=Other Accounts,dc=company,dc=domain,dc=tld bindDNpassword = snafu charset = utf8 dynamicMemberAttribute = member groupBaseDN = ou=SPLUNK,ou=Application Groups,ou=Groups,dc=company,dc=domain,dc=tld groupBaseFilter = (objectclass=*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldap.company.domain.tld nestedGroups = 1 network_timeout = 20 port = 389 realNameAttribute = cn sizelimit = 1000 timelimit = 15 userBaseDN = ou=Departments,dc=company,dc=domain,dc=tld userBaseFilter = (objectclass=*) userNameAttribute = samaccountname </CODE></PRE> <P>Now looking at the configuration, I'm wondering if the problem may be the <CODE>groupBaseDN</CODE> setting. This matches the parent group, but not the nested group. Is this the problem? If I widen it to just <CODE>ou=Groups,dc=...</CODE>, I get 1000+ groups, which is quite a lot, but I'm not sure if it's a problem. So, does the nested group also have to match the groupBaseDN?</P> Mon, 08 Oct 2012 08:30:44 GMT https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82960#M2742 echalex 2012-10-08T08:30:44Z https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82961#M2743 <P>Widen the <CODE>groupBaseDN</CODE> - it shouldn't be a problem. If you're worried, add to the <CODE>groupBaseFilter</CODE> to just look at those in the right OUs.</P> Mon, 08 Oct 2012 13:59:40 GMT https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82961#M2743 dart 2012-10-08T13:59:40Z https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82962#M2744 <P>Thanks!<BR /> Yes, I was worried about the amount of groups listed and I tried out several combinations of values for <CODE>groupBaseFilter</CODE> and <CODE>dynamicGroupFilter</CODE>. Either I couldn't get it to authenticate or the list of groups.</P> <P>Thanks to your suggestion, I set both to the same value and it does work. Authentication works and the list is nice and small, so thank you very much!</P> Mon, 08 Oct 2012 14:43:07 GMT https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82962#M2744 echalex 2012-10-08T14:43:07Z https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82963#M2745 <P>Glad to hear it worked out!</P> Mon, 08 Oct 2012 14:54:57 GMT https://community.splunk.com/t5/Security/Active-Directory-nested-groups/m-p/82963#M2745 dart 2012-10-08T14:54:57Z