topic Re: LDAP Map users to roles in Security

LDAP Map users to roles

Raghav2384 — Mon, 28 Sep 2020 20:04:12 GMT

Working LDAP where i can map LDAP groups to roles.
[XYZ Corporate AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=a1dpsapacheuser,OU=Administrative,DC=CORP,DC=XYZ,DC=com
bindDNpassword = password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Groups,OU=Location Corporate,OU=ABC,DC=CORP,DC=XYZ,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = x.x.x.x
nestedGroups = 0
network_timeout = -1
port = 636
realNameAttribute = givenname
sizelimit = 1000000
timelimit = 29
userBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
userNameAttribute = samaccountname

[roleMap_XYZ Corporate AD]
admin = XYZ - Admin Splunk Distribution
splunkuser = GlobalUsers

[authentication]
authSettings = XYZ Corporate AD
authType = LDAP

Trying to achieve, LDAP map users to Roles. I have followed
http://answers.splunk.com/answers/43842/mapping-ldap-user-to-roles-matched-groups-are-not-found-in-roles.html &
http://docs.splunk.com/Documentation/Splunk/6.2.0/Security/ConfigureLDAPwithconfigurationfiles as is but no luck. Here's the config i came up with

[XYZ Corporate AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=a1dpsapacheuser,OU=Administrative,DC=CORP,DC=XYZ,DC=com
bindDNpassword = password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
groupBaseFilter = (|(samaccountname=*))
groupMappingAttribute = samaccountname
groupMemberAttribute = samaccountname
groupNameAttribute = samaccountname
host = x.x.x.x
nestedGroups = 0
network_timeout = -1
port = 636
realNameAttribute = cn
sizelimit = 1000000
timelimit = 29
userBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
userNameAttribute = samaccountname

[roleMap_XYZ Corporate AD]
newadmin = rgomatha

[authentication]
authSettings = XYZ Corporate AD
authType = LDAP

And i can't login. Is it because we have too many groups? I am sure more than 1000! What am i doing wrong?

Thanks in advance!
Regards,
Raghav

Re: LDAP Map users to roles

acharlieh — Sat, 23 May 2015 18:39:18 GMT

Is "newadmin" a role defined in authorize.conf? Does the newadmin role extend the built in "user" role? (There is a way to enable login for roles that aren't user but it's tricky last I remember)

Re: LDAP Map users to roles

Raghav2384 — Sat, 23 May 2015 18:41:11 GMT

Correct, i created a role newadmin. It is inherited from built-in admin role

Re: LDAP Map users to roles

Raghav2384 — Sun, 24 May 2015 02:19:22 GMT

So, i guess the culprit was the LDAP group (Too big to handle i guess). Once i picked a relatively smaller group, it started to show users as groups and let me add users to individual roles. Now the problem is, it's not reflecting until i restart splunkd every addition/updates. Is there any other way to avoid the restart as it could become a pain with more and more users request access 🙂

P.S: Though debug/refresh isn't going refresh authentication...tried it to just to be sure. Didn't work 😞

Re: LDAP Map users to roles

acharlieh — Sun, 24 May 2015 02:26:43 GMT

Why do you want to map users directly to roles in Splunk? As you've found out changing mappings you're going to likely wind up with restarts. If you could get your AD Admin to delegate you an OU for Splunk groups, and create groups per Splunk role in that OU, then adding/removing users to roles requires no restart. (As you're then just adding / removing users to groups within AD... the mapping stays the same).

Re: LDAP Map users to roles

Raghav2384 — Sun, 24 May 2015 02:38:47 GMT

I agree and that's how we had it configured first. We have close to 80 indexes and the ask is to have different levels of elevated privileges to individuals (i know exactly how this sounds :)). So even if i create 100 roles in Splunk , since i cannot have everyone from that One Mega Splunk AD group access it, this route. Please let me know if you have a better strategy and i can certainly propose it 🙂

In a nut shell, cannot request multiple AD groups, Can create whatever no. of roles in splunk i can, several levels of user access required.

Thank you Charlie!

Regards,
Raghav

Re: LDAP Map users to roles

acharlieh — Sun, 24 May 2015 02:50:49 GMT

As several levels of user access are required, make a role and corresponding LDAP group that maps to each piece you want to authorize. If a user needs 3 different levels of access, add his account to the 3 corresponding LDAP groups. As a user, you can have multiple roles in Splunk (like you can be a member of multiple groups in Active Directory).

Re: LDAP Map users to roles

Raghav2384 — Sun, 24 May 2015 02:53:08 GMT

Yeah, i proposed the exact same...manage more from AD side and role....i guess some people just don't get it 🙂 Thanks Charlie..cheers!

Re: LDAP Map users to roles

acharlieh — Sun, 24 May 2015 03:00:50 GMT

LOL... Well now you can tell them that a random person on an internet forum thinks you're right!

Honestly, I had about 3-6 months of debates before I was able to convince those who controlled our AD infrastructure that delegating an OU for Splunk groups was the correct course of action. I can only wish you best of luck!

Re: LDAP Map users to roles

Raghav2384 — Sun, 24 May 2015 15:11:22 GMT

Thanks again for you help Charlie.....Cheers!

Re: LDAP Map users to roles

Raghav2384 — Mon, 25 May 2015 18:23:00 GMT

Looks like i have to go with AD groups to Splunk roles instead of Users to Splunk roles for lot of reasons.

Thanks to Charlie for adding weight to the approach 1