topic Re: Splunk Cluster - AD Auth - SSO in Security

Splunk Cluster - AD Auth - SSO

JeremeyWise — Thu, 01 Oct 2015 19:20:39 GMT

Building my first Splunk cluster for lab. All hosts CentOS6 with full AD (kerberos) integration but wanting to add AD integration (towards SSO goal) into cluster

Question:

1) I am getting error "Encountered the following error while trying to save: In handler 'LDAP-auth':strategy=aessatl.arrow.com" Error binding to LDAP. reason="Invalid credentials". Where can I get better examples, or someone who can post details about how to set this up.

Settings /field inputs used

Name aessatl.arrow.com
Server atllabman1.aessatl.arrow.com
Port 389
Bind DN CN=Administrator,OU=users,DC=aessatl,DC=arrow,DC=com
User Base DN OU=Users,DC=aessatl,DC=arrow,DC=com
User Name Attribute sAMAccountName
Real Name Attribute cn
eMail Attribute Mail
Group Mapping Attribute dn
User Base DN OU=Users,DC=aessatl,DC=arrow,DC=com
User Name Attribute sAMAccountName
Real Name Attribute cn
eMail Attribute Mail
Group Mapping Attribute dn
Group Settings DC=aessatl,DC=arrow,DC=com
Group Name Attribute cn
Static Member Attribute member
Nested Groups <check>
Dynamic Group
<no changes>
Advanced Settings
<check box but leave defaults>

2) I am doing this on the Deployment (deployer / license server) server, to get it working, but I need to deploy this across the cluster. I would assume this would be across all tiers of the cluster (search head nodes, indexers, forwarders, cluster master, deployer). What is the best methodology for this?

I would attach my configuation (saved as PDF) showing the fields I used so someone could point out what I am putting in wrong.. but I was bad in previous life... and this one... well... likely future also.. and as such have insufficient karma.

Re: Splunk Cluster - AD Auth - SSO

dmaislin_splunk — Fri, 02 Oct 2015 18:03:19 GMT

http://blogs.splunk.com/2009/08/13/ldap-auth-configuration-tips/

Re: Splunk Cluster - AD Auth - SSO

acharlieh — Fri, 02 Oct 2015 18:29:06 GMT

I'm not sure about your AD setup, but I think typically the Users folder is actually CN=Users and not OU=Users

So your bind DN should be: CN=Administrator,CN=Users,DC=aessatl,DC=arrow,DC=com
And your user Base DN should be: CN=Users,DC=aessatl,DC=arrow,DC=com

You can double check with a raw LDAP browser such as Apache Directory Studio.

Re: Splunk Cluster - AD Auth - SSO

dmaislin_splunk — Fri, 02 Oct 2015 18:36:17 GMT

Sometimes I just use an LDAP browser to get the right settings like this one: http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm

Re: Splunk Cluster - AD Auth - SSO

JeremeyWise — Wed, 07 Oct 2015 15:35:54 GMT

That was the issue.. sorry for delay on posting. I SWEAR I tried that, as that is the typical for AD convention for DN type, but as I got that OU input from actual screenshot of working end user, i figured it was just one of those querks.

Working now... with AD.. now..

Question:
1) How do I deploy this to a cluster? [I would assume, that this can be added as "an app" from the deployment node... in some kind of file structure (hopefully PS has done this dozens of times and can redirect me to RTFM) and I can push it out. I would assume cluster master would also need to push it to indexers?]

2) With the structure that Splunk has for its application. Are there any needs to leverage ACLs and integration with permissions for files / indexes etc with ACL control? I don't think so, but want to make sure before I get too far into cluster build out. The VMs are loaded with modules, so it is just a matter of implementation.

Thanks