topic Re: Can Splunk be configured to add a single active directory user instead of a group? in Security

Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Fri, 06 Feb 2015 19:28:20 GMT

Can Splunk be configured to pull a single AD user instead of a group? I have tried a number of user base filters with no success. My group filters work without issue.

I have tried to use the following for the user base filter options:

• (&(objectCategory=person)(objectClass=user)(sAMAccountName=someone))
• (&(objectClass=user)(sAMAccountName=someone))
• (&(objectCategory=person)(objectClass=user)(cn=someone))
• (&(objectClass=user)(cn=someone))

I am getting the following errors in splunkd.log.
• ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

Re: Can Splunk be configured to add a single active directory user instead of a group?

sanjay_shrestha — Fri, 06 Feb 2015 19:38:21 GMT

It is possible if you add constraint in the User Settings:

User Base Filter
(&(objectClass=user)(cn=someone))

And check in the Group Settings:

Static group search filter should have constraint for the group where someone exists.
e.g.
(&(objectClass=group)(cn=Splunk-Someones-Group))

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Fri, 06 Feb 2015 19:43:23 GMT

I tried that. Still doesn't work.

Re: Can Splunk be configured to add a single active directory user instead of a group?

sanjay_shrestha — Fri, 06 Feb 2015 19:44:23 GMT

Can you post User Settings & Group Settings?

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Mon, 28 Sep 2020 18:52:08 GMT

Sure.

User Base DN:
OU=Contractors,OU=Non-main Users,OU=main_users,DC=domain,DC=org
User Base Filter:
(&(objectClass=user)(cn=someone))
Group base DN:
OU=Contractors,OU=Non-main Users,OU=main_users,DC=domain,DC=org
Group Filter:
(&(objectclass=group)(cn=Contractors)

Re: Can Splunk be configured to add a single active directory user instead of a group?

sanjay_shrestha — Fri, 06 Feb 2015 19:52:52 GMT

Can you try adding following:

User name attribute >> samaccountname
Real name attribute >> cn
Group mapping attribute >>dn

Group name attribute >> cn
Static member attribute >> member

P.S. I tried in my system and able to pull only one user. I had these extra parameters set.

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Fri, 06 Feb 2015 20:00:15 GMT

Those are all already set. I've tested the syntax against LDAP and the work to pull the single user. No idea why it won't work for me within Splunk.

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Fri, 06 Feb 2015 20:28:35 GMT

Do you know where I can set the ScopedLDAPConnection to DEBUG? I can't find it in the log.cfg.

Re: Can Splunk be configured to add a single active directory user instead of a group?

sanjay_shrestha — Fri, 06 Feb 2015 20:36:56 GMT

settings >> System settings >> System Logging

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Mon, 28 Sep 2020 18:52:10 GMT

Thanks. So here is what i am getting.

02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="cn" with value="Person"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="sAMAccountName" with value="xxxxx"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="mail" with value="person@domain.org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Attempting to read entry at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Attempting to search subtree at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org" using filter=""
02-06-2015 15:52:47.925 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Search duration="1992 microseconds"
ScopedLDAPConnection - strategy="contractor_person" LDAP Server returned no entries in search for DN="OU=Contractors,OU=Non-domain Users,OU=Main,DC=domain,DC=org" filter="(&(&(objectclass=group)(cn=Contractors))(cn=)(member=))".
02-06-2015 15:52:47.928 -0500 ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Fri, 06 Feb 2015 21:08:36 GMT

I'm wondering if it's timing out. It found the user but the filters aren't working. even though they've been tested.

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Mon, 28 Sep 2020 18:57:34 GMT

This is what worked for me in the end. Setting the group base and user base filters and DN to the same value, the user base values. I also modified the groupMemberAttribute to mimic the userMember Attribute.
Settings to add a single user:

[Team_Contractors]
host = ldap.domain.org
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = domain\XXXXXXX
bindDNpassword = XXXXXXXXXXXXXX
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
groupBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20

Re: Can Splunk be configured to add a single active directory user instead of a group?

scc00 — Mon, 28 Sep 2020 19:17:50 GMT

I ended up using the following syntax to get it to work.

Settings to add a single user:

[Strategy]
host = *****
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = ******
bindDNpassword =********
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=***)(sAMAccountName=)))
groupBaseDN =OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=)(sAMAccountName=***)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20