topic Re: How to troubleshoot authentication error "In handler 'LDAP-auth': Failed to retrieve a group with these settings"? in Security

How to troubleshoot authentication error "In handler 'LDAP-auth': Failed to retrieve a group with these settings"?

saifuddin9122 — Mon, 18 Jul 2016 16:00:31 GMT

Hello

As I am working on LDAP authentication, I am getting the error:

In handler 'LDAP-auth': Failed to retrieve a group with these settings

Can anyone please guide me what I doing wrong?

My authentication.conf looks as below:

[authentication]
authType = LDAP
authSettings = ldaphost

[ldaphost]
host = XXXX
port = 1389
SSLEnabled = 0
bindDN = cn=Directory Manager 
bindDNpassword = XXXX
userBaseDN = dc=XXXX,dc=internal
userBaseFilter = (objectclass=posixAccount)
userNameAttribute = uid
realNameAttribute = cn
groupMappingAttribute = dn 
groupBaseDN = ou=groups,dc=XXXX,dc=internal
groupBaseFilter = (objectclass=groupOfNames)
groupNameAttribute = cn
groupMemberAttribute = uniqueMember
timelimit = 10
network_timeout = 15

[roleMap_ldaphost]
admin = splunk-admin
user = splunk-users

Re: How to troubleshoot authentication error "In handler 'LDAP-auth': Failed to retrieve a group with these settings"?

rafamss — Mon, 18 Jul 2016 23:52:10 GMT

Do you created the group splunk-admin and splunk-users in authorize.conf file?

Also take a look at these sources:

Re: How to troubleshoot authentication error "In handler 'LDAP-auth': Failed to retrieve a group with these settings"?

ddrillic — Tue, 19 Jul 2016 01:53:28 GMT

We use the following to find the ldap group names which start with splunk -

bindDN = cn=spl_app,cn=users,dc=ms,dc=ds,dc=xxx,dc=com
groupBaseDN = cn=users,dc=ms,dc=ds,dc=xxx,dc=com
groupBaseFilter = (&(objectcategory=group)(cn=splunk*))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
userBaseDN = cn=users,dc=ms,dc=ds,dc=xxx,dc=com

Re: How to troubleshoot authentication error "In handler 'LDAP-auth': Failed to retrieve a group with these settings"?

rdimri_splunk — Tue, 19 Jul 2016 04:03:03 GMT

That error is trying to tell you that "With the ldap settings you have configured, when splunk tried to look up groups but did not find any".

Fields of intrest along with their description:

groupBaseFilter =
* OPTIONAL
* The LDAP search filter Splunk uses when searching for static groups
* Like userBaseFilter, this is highly recommended to speed up LDAP queries
* See RFC 2254 for more information
* This defaults to no filtering

groupNameAttribute =
* REQUIRED
* This is the group entry attribute whose value stores the group name.
* A typical attribute for this is 'cn' (common name)
* Recall that if you are configuring LDAP to treat user entries as their own
group, user entries must have this attribute

groupMemberAttribute =
* REQUIRED
* This is the group entry attribute whose values are the groups members
* Typical attributes for this are 'member' and 'memberUid'
* For example, consider the groupMappingAttribute example above using
groupMemberAttribute 'member'
* To declare 'splunkuser' as a group member, its attribute 'member' must
have the value 'splunkuser'

Delving a little bit deeper with an example lets say your groups are saved in ou=Matrix Actors,dc=example,dc=com, this will be your groupBaseFilter. Then there are different groups in this ou namely cn=Good Guys,ou=Matrix Actors,dc=example,dc=com and cn=Bad Guys,ou=Groups,dc=example,dc=com. hence 'cn' is going to be your groupNameAttribute. Further more these groups have an attribute called member, for example member: neo, member=smith, member=morpheus. And your ldap has user entries like cn=neo,ou=Matrix Actors,dc=example,dc=com and cn=Trinity,ou=Matrix Actors,dc=example,dc=com. So this kinda explains what these values mean.

Next question would be how to debug this on LDAP server and find out which values should you choose for these attributes.
something to the order of
ldapsearch -x -LLL -H ldap:/// -b dc=cloudapp,dc=net dn

should list all the dn entries (I might be rusty with this) and you can drill down or use some UI tool to browse your ldap tree