https://community.splunk.com/t5/Security/LDAP-tuning-4-2/m-p/105259#M3369 <P>This is interesting.</P> Sat, 21 May 2011 17:28:38 GMT gkanapathy 2011-05-21T17:28:38Z https://community.splunk.com/t5/Security/LDAP-tuning-4-2/m-p/105257#M3367 <P>I have set up LDAP access to the GC (3268) and it works great. However, i am now noticing that there is a lot of traffic generated across the firewall that separates them.<BR /> in the last 60 minutes 54,000 connections were created. This will not make the AD team very happy.</P> <P>Firstly what is splunk doing every minute to reach out and generate about 1000 connections ( this sounds like the default page size for an ldap connection)?</P> <P>Second how do I force splunk to reach out less frequently? The LDAP groups are not changing that rapidly, once an hour or two is sufficient for me. </P> <P>Can the scripted auth parameters for caching and timeout be used for LDAP connections?</P> Thu, 19 May 2011 12:11:28 GMT https://community.splunk.com/t5/Security/LDAP-tuning-4-2/m-p/105257#M3367 EricPartington 2011-05-19T12:11:28Z https://community.splunk.com/t5/Security/LDAP-tuning-4-2/m-p/105258#M3368 <P>Solved it, wasnt what I expected.</P> <P>We are using LDAP auth for user access to splunk. It turns out that splunk attempts to verify in LDAP all the owners of searches and objects listed in local.meta</P> <P>I had done some development on objects with a local account that didnt exist on this server and that was what splunk was attempting to lookup in AD. This is the same behaviour that I saw when i used the Bind app and we were noticing lookups for nfoggi (the creator of the searches in that app).</P> <P>So i guess a word of warning, if you save objects as owned by a local user that does not exist on the splunk server that authentication is done on, you will have a number of queries generated to your AD/LDAP server attempting to lookup those ID's.</P> <P>A tcpdump with this string will tell you what you are looking up in AD/LDAP to validate the problem.<BR /> a.b.c.d is th eldap server or you can use port 3268 (for global catalog) or port 386 (for LDAP).<BR /> tcpdump -np -s 1500 -w outfile.libpcap -i em3 host a.b.c.d</P> <P>hope this helps someone (and maybe gets the default ownership of objects changed in splunkbase for those that use AD/LDAP auth).</P> Fri, 20 May 2011 18:39:58 GMT https://community.splunk.com/t5/Security/LDAP-tuning-4-2/m-p/105258#M3368 EricPartington 2011-05-20T18:39:58Z https://community.splunk.com/t5/Security/LDAP-tuning-4-2/m-p/105259#M3369 <P>This is interesting.</P> Sat, 21 May 2011 17:28:38 GMT https://community.splunk.com/t5/Security/LDAP-tuning-4-2/m-p/105259#M3369 gkanapathy 2011-05-21T17:28:38Z