topic Re: How come the LDAP config is not picking up users directly under OU? in Security

How come the LDAP config is not picking up users directly under OU?

kannu — Mon, 08 Oct 2018 17:34:27 GMT

Hello Splunkers,

I am having some issue with LDAP authentication.
The Issue is: i am having one domain that is abc.int.com under that domain i have one OU called Splunk in that OU i have many "usersid" .

"usersid" refers to persons name who needs access in Splunk through LDAP

So i am using the strings :
For user base DN :
ou=Splunk,dc=abc,dc=int,dc=com

and for group base dn .
dc=abc,dc=int,dc=com

but it's not picking up users. It's only picking up users under groups not under any OU.

Please help me !!!!

Re: How come the LDAP config is not picking up users directly under OU?

ssadanala1 — Mon, 08 Oct 2018 18:17:53 GMT

for the group base dn , you need specify ou attribute
Your ldap configuration should resemble like this

groupBaseDN = ou=Groups,dc=splunksupport,dc=com;
*This is the Base of your Groups in LDAP. You can also specify multiple bases. For example: ou=Management,ou=Groups,dc=Splunkers,dc=com;ou=Consultants,ou=Groups,dc=Splunkers,dc=com;

For more Info

https://www.splunk.com/blog/2009/08/13/ldap-auth-configuration-tips.html

Hope it helps

Re: How come the LDAP config is not picking up users directly under OU?

MuS — Mon, 08 Oct 2018 19:09:14 GMT

Hi kannu,

Check this answer https://answers.splunk.com/answers/50175/ldap-authentication-troubleshooting-information.html

Also increase the logging for the AuthenticationManagerLDAP and the ScopedLDAPConnection channel in Settings » Server settings » Server logging and check index=_internal for LDAP related messages.

Hope that helps ...

cheers, MuS

Re: How come the LDAP config is not picking up users directly under OU?

kannu — Tue, 09 Oct 2018 17:25:47 GMT

@ssadanala1 ,

Bro i am not having groups under any OU , After OU there are directly users , there is not group in between users and OU

Re: How come the LDAP config is not picking up users directly under OU?

kannu — Tue, 09 Oct 2018 17:28:03 GMT

@MuS ,

No Link which you have provided has diffrent issue , In my case i am able to connect to ldap ,

issue is ldap settings are picking up users which are mentioned under some group , but its not picking up users which are mentioned directly under OU .

Re: How come the LDAP config is not picking up users directly under OU?

JDukeSplunk — Tue, 09 Oct 2018 18:47:52 GMT

I can't give you a specific answer for this. However I can tell you how I got mine working.

Using ADExplorer or some other LDAP browser I nailed down the OU structure. I copy-pasted to ensure that I got the characters exactly. You can usually go into the properties of the object and copy it there.

This assumes users are in the following OU's.
OU=Users,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
OU=Expire,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
OU=WA-SEA,OU=America,OU=Sites,DC=domain,DC=com

And the group mappings will only show any group that begins with "Splunk"

Here is my working copy of my ..\etc\local\authentication.conf file. Which of course is populated from the GUI.

[LDAP Authentication to AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=splunkadsearch\, svc,CN=Users,DC=domain,DC=com
bindDNpassword = XXXXXXXX
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Security,OU=Groups,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com
groupBaseFilter = (CN=Splunk*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = PDOM05.domain.com
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com;OU=Expire,OU=Accounts,OU=GA-ATL,OU=America,OU=Sites,DC=domain,DC=com;OU=WA-SEA,OU=America,OU=Sites,DC=domain,DC=com
userNameAttribute = samaccountname

Hope this helps.

Re: How come the LDAP config is not picking up users directly under OU?

MuS — Tue, 09 Oct 2018 18:59:46 GMT

Not exactly, the linked answer tells you to test the LDAP connection, and connection information with another tool and visually check the results for verification purpose.

Anyway, have a look at @JDukeSplunk answer how to setup multiple OU's for userBaseDN

cheers, MuS