topic Re: AD / LDAP Authentication Limit issues in Security

AD / LDAP Authentication Limit issues

Vtesse — Mon, 28 Sep 2020 13:43:41 GMT

Hi.

I've managed to get my Splunk (5.0.latest) referring to my Active Directory Domain Controllers to allow a number of user logins, however at this time, it is only working if I explicitly specify the User and group DN's on the LDAP config page.

What I'd love to do is have the ldap Plugins simply look at the User OU and Group OU and allow me to then pick which groups I want to map.

I've tried fiddling with the silzelimit and a few other functions, and even pointing at an OU with only 1 user / group, but no matter what is tried, I always get the Query Size Limit Exceeded error.

Any ideas how I can resolve this issue?
Here is an example of a working section of the Authentication.conf:
[Admin Users]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=Splunk ldap,OU=Service Accounts,OU=STUFF,DC=DOMAIN,DC=ltd
bindDNpassword = blah
charset = utf8
groupBaseDN = CN=Splunk Sysadmins,OU=User Groups,OU=STUFF,DC=DOMAIN,DC=ltd
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = 10.100.100.11
nestedGroups = 1
network_timeout = 20
port = 3269
realNameAttribute = name
sizelimit = 10000
timelimit = 15
userBaseDN = CN=ME, CN=Users,DC=Vtesse,DC=ltd
userNameAttribute = samaccountname

TIA

Re: AD / LDAP Authentication Limit issues

krugger — Mon, 15 Apr 2013 11:10:12 GMT

You can configure this with the web GUI at:

Manager > Access controls > Authentication method

Turn LDAP on

Click on Configure Splunk to use LDAP and map groups

Define a new LDAP strategy. In the strategy you can define search filters to have multiple groups.

After that you can map the groups to user roles.

Re: AD / LDAP Authentication Limit issues

Vtesse — Mon, 15 Apr 2013 13:13:39 GMT

Indeed you can.
That's where I've configured this entry.
The problem is, when I enter the OU's in groupBaseDN and userBaseDN, I get the "too many lines returned" error from the LDAP plugin. Even if I
A) point them at an OU with only 2 entries
B) Increase the sizelimit to something silly.

Re: AD / LDAP Authentication Limit issues

JoeIII — Tue, 27 Aug 2013 13:58:47 GMT

I wonder if your nestedGroups setting is the source of your "too many lines" issue.

Also, while your environment may differ, a few of the identifying attributes are different from what I normally use when setting up AD auth for systems like Splunk.

here are the attributes I use in my splunk environment:

groupMappingAttribute = distinguishedname
groupMemberAttribute = member
groupNameAttribute = name
realNameAttribute = displayname
userNameAttribute = samaccountname

as for the filters, Microsoft has a very in-depth article on LDAP filters and examples specific to AD that I believe anyone configuring AD auth should have bookmarked:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Re: AD / LDAP Authentication Limit issues

s72ucor — Thu, 21 Nov 2013 14:49:18 GMT

I have the same issue with or without nested groups enabled.

Re: AD / LDAP Authentication Limit issues

s72ucor — Thu, 21 Nov 2013 15:32:56 GMT

I've noticed that if I create an AD group for specific access (i.e. users) and then add users to that group I can get this to work; however, I needed to define the group by editing "/etc/syslog/local/authentication.conf" via the CLI. Even if I edit the configuration file and set the limit to 1000+,10000+,100000+,1000000+ it doesn't change the behavior. This makes me think that the issue isn't a LDAP issue, rather a GUI issue. I noticed that even with the limit change the GUI still only shows 1000 entries. Here's what I did to make things work:

Configure the "LDAP strategy" via the GUI.
Edit /etc/syslog/local/authentication.conf"
Under the LDAP definition create your user access similar to the following:

[roleMap_LDAPStrategyName]

user = LDAPGroupName

Restart Splunk

Once I created the new AD config and defined the users via the CLI I restarted splunk and all these users that were supposed to have access were imported. In addition I was able to add new users to the AD group and use the GUI "Reload Authentication Configuration" button on under "Manager » Access controls » Authentication method".

I know this isn't a GUI solution, but it did solve me problem. I'm using Splunk 5.5 on Linux.

Re: AD / LDAP Authentication Limit issues

neiljpeterson — Tue, 25 Mar 2014 16:31:11 GMT

This is the response that helped me solve this issue. I had to add a user that had already signed in to Splunk, to the AD group for the UI to display/recognize the group, so that I could map it.