topic Re: Splunk ldap in Security

Splunk ldap

sushma6 — Thu, 27 Feb 2014 10:28:13 GMT

Hi,

I am trying to integrate Splunk with Ldap, and hence I entered the following set of information.

LDAP Strategy Name: ldap
Host: 192.127.44.155
Port: 389
Bind DN: CN=va230033,OU=Application Accounts,DC=corp,DC=ncr,DC=com
Bind DN password: xxxxxx
User base DN: dc=corp,dc=ncr,dc=com
User name attribute: samaccountname
Real name attribute: displayname
Group mapping attribute: dn
Group base DN: dc=corp,dc=ncr,dc=com
Group name attribute: cn
Static member attribute: member

When i created a ldap with the above settings, i received the following error: ldap server warning: size limi exceeded. Not only this once done, when I try to map groups i could not find the groups that I want. So as to make search more refinable, I even included the following filter: (&(objectCategory=group) (cn=sweng*)) under User base filter.

Doing so did not help me, still I could not retrieve the group that I require and still the error persists.

Thanks,
Sushma.

Re: Splunk ldap

HiroshiSatoh — Mon, 28 Sep 2020 15:59:34 GMT

How about increasing the size of this parameter?
Advanced settings -> Search request size limit

•Search request size limit
◦To avoid performance-related issues, you can set the search request size limit. Splunk will then request that the LDAP server return the specified maximum number of entries in response to a search request. In a large deployment with millions of users, setting this limit to a high value could result in a long response, depending on the search filter set in the LDAP strategy configuration. If this limit is reached, splunkd.log should contain a size limit exceeded message.
◦You should set the search request time limit and search request size limit values in conjunction with the splunkweb timeout property, described in "Configure user session timeouts". If you have a group that is not showing up in the Splunk console, it was likely excluded due to one of these limits. Tune these properties as needed.
◦To set the request size limit higher than 1000, you must also edit max_users_to_precache in limits.conf to accomodate the number of users you set for your request size limit.

http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/ConfigureLDAPwithSplunkWeb

Re: Splunk ldap

sushma6 — Fri, 28 Feb 2014 12:32:06 GMT

Yes,now i am able to view the groups that I required, but not able to login to the SPLUNK using the users belonging to that group. Is there anything else that I need to do?

Re: Splunk ldap

HiroshiSatoh — Fri, 28 Feb 2014 16:17:11 GMT

You need to be added to the group (user role, for example) role with login privileges.

Re: Splunk ldap

sushma6 — Sun, 02 Mar 2014 15:06:45 GMT

yes after mapping the group, I assigned admin role to all the users in that group, there are 10 users in that group and I gave each of them admin rights, even i am included in that group. Once done i tried to login with the LDAP credentials, but it is showing as Invalid username and password.

Re: Splunk ldap

sushma6 — Tue, 04 Mar 2014 06:41:00 GMT

I could do it myself changed the Group mapping attribute to dn instead of memberof and now I could login with the LDAP credentials.