topic Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."? in All Apps and Add-ons

Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

glancaster — Mon, 28 Sep 2020 18:12:53 GMT

Hi all,

Installed SA-ldapsearch and it works perfectly for my account. I told the users to go ahead and start using it but they are returned the following red banner message:

External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/apps/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1108 : HTTP 403 Forbidden -- In handler 'passwords': You (user=testuser) do not have permission to perform this operation (requires capability: admin_all_objects)." "

I have adjusted the app permissions to allow read and write permissions to all users. I have looked through the scripts to the best of my ability but am unable to locate the parameter to requires admin_all_objects to execute. Anyone have an idea of where I can find the config and what I need to change it to - to allow all users to be able to execute the SA-ldapsearch commands?

Thanks in advance,
George

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

glancaster — Tue, 18 Nov 2014 17:47:51 GMT

Forgot to mention, running version 2.0.0

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

David_Noble_at_ — Mon, 28 Sep 2020 18:13:01 GMT

We use Splunk's storage passwords endpoint to read/write passwords. This endpoint cannot be accessed by users without admin_all_objects capability. You might wish to create a new role for this. You might, for example, create an "SA-ldapsearch user" role that inherits from user and adds the admin_all_objects capability.

The admin_all_objects capability grants users significant access rights:

A role with this capability has access to objects in the system (user objects, search jobs, etc.).
This bypasses any ACL restrictions (similar to root access in a *nix environment).
We check this capability when accessing manager pages and objects.

See the authorize.conf spec for additional information.

We are considering developing an alternative to the storage password endpoint for securely storing credentials in a future release of the Splunk Support Add-on for Active Directory; one that would not require admin_all_objects capability. Please stay tuned.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

glancaster — Mon, 28 Sep 2020 18:13:09 GMT

Thank you for the response, I understand the limitations and hope that Splunk is able to work around this, In our situation we use a read-only account to query LDAP and need a wide range of users to be able to execute these commands in Splunk - a range of users that we wouldn't want to give admin_all_objects capabilities to.

Would we be able to get someone to update the documentation and add this to the "About" section or maybe the release notes? Reading this before I tested and deployed would have saved me and others some time.

Thanks for the assistance,
George

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

David_Noble_at_ — Wed, 19 Nov 2014 16:13:11 GMT

I opened a bug to update the documentation. That change will be made soon.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

dineshraj9 — Thu, 05 Mar 2015 11:35:13 GMT

Is this issue resolved in the later versions of SA-ldapsearch app?

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

glancaster — Mon, 28 Sep 2020 19:07:17 GMT

Not that I am aware of, I did open an enhancement request to allow us to assign roles outside of admin_all_objects to control access to this feature.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Lucas_K — Tue, 17 Mar 2015 02:42:36 GMT

Has anyone found a way around this requirement? This is a seriously bad design choice. Fix a potential security issue by allowing everyone the equivalent of root access?

Hashed local password storage for your ldap servers were much better than having users changing/deleting whatever they like across your platform just to access a custom command 😕

We just has a user reconfigure a heap of server level options on our clustered search heads. It was only when they said "why doesn't X" work did we find out that they'd believed they were changing options just for themselves.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

glancaster — Tue, 17 Mar 2015 03:56:13 GMT

For a cheap work around you can export the results you need from an admin account out to a lookup table and let normal users query against that. I have some high level queries set on daily cron.

Also, please open an enhancement request for the fix like I did to let them know we need this changed.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

glancaster — Tue, 17 Mar 2015 03:57:08 GMT

See my response below.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

johnsjm — Tue, 01 Dec 2015 22:53:36 GMT

Great app but I can't allow my users to use it... will this ever be fixed?

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

rahul_jasrotia — Tue, 19 Jan 2016 15:55:43 GMT

Is there a solution to this now? I need to make a dashboard for people to take work on and i can't give admin access to them all.

Please help?

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

howyagoin — Tue, 29 Sep 2020 08:30:05 GMT

Just ran into this issue as well - the solution of adding admin_all_objects to all users is simply not acceptable. The (much) older version of this SA-ldapsearch had the password stored in the ldap.conf file; whilst that's not ideal, for a read-only LDAP user this was far, far better than the proposed solution.

I do NOT recommend doing what I just did, but it got me working:

You can modify the .py files and embed the password directly rather than using the password storage routines. This means that your LDAP/AD password would be readable at the filesystem level by whomever has access to that, but, if you're like me, that's probably a lot more palatable than giving all Splunk users the required permission.

I modified:

ldapsearch.py
./packages/app/connection_pool.py
Possibly ./packages/app/configuration.py

Point is, I looked for the Python functions which were waiting for the results of the storage routines to return the password and just inserted password='whatever-the-password-was' instead.

Really, really bad idea, but, it's a far less bad idea than the current permissions requirement.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

rahul_jasrotia — Fri, 22 Jan 2016 14:16:21 GMT

Hi @howyagoin,
Thanks for the reply but, I have 2 domains configured so not sure which passwords are we talking about here. for both these domains there's a different password, which one should i use. I tried one but its giving me an error.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

ontkanin — Tue, 29 Sep 2020 09:47:52 GMT

We are considering developing an alternative to the storage password endpoint for securely storing credentials in a future release of the Splunk Support Add-on for Active Directory; one that would not require admin_all_objects capability. Please stay tuned.

Any update about fixing this?

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

ontkanin — Thu, 26 May 2016 19:58:03 GMT

I believe I have found a solution without hacking the Python script code 🙂 I actually got inspired by @howyagoin

The (much) older version of this SA-ldapsearch had the password stored in the ldap.conf file

I looked into bin/packages/app/configuration.py file and I saw this:

if password is None:
    password = self._get_value(settings, 'password', default='')
    if password.startswith('{64}'):
        password = b64decode(password[4:])
    pass

which pretty much means "if password cannot be read from password storage, then as a last resort try to read it from ldap.conf file."

So just open local/ldap.conf and add the following line into a proper stanza (in case you have multiple ADs, then add proper password to its respective stanza):

password = BINDDN_PASSWORD

We have tested it here and it works.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

ontkanin — Thu, 26 May 2016 20:02:16 GMT

@rahul_jasrotia, please see my solution below; it works with multiple domains.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

rahul_jasrotia — Wed, 20 Jul 2016 05:35:29 GMT

Thanks @ontkanin, it sure works.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

jhedgpeth — Thu, 25 Aug 2016 14:49:31 GMT

we just upgraded, which led me here. there are no scenarios where we would throw away security like suggested here. breaking the code to do it ourselves is more likely.

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

benlc — Mon, 16 Jan 2017 06:27:48 GMT

Same problem with 2.1.4 but I get another Error:

External search command 'ldaptestconnection' returned error code 1. First 1000 (of 2868) bytes of script output: " ERROR " # host: X.X.X.X: Could not access the directory service at ldaps://X.X.X.X:636: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 # host: X.X.X.X: Could not access the directory service at ldaps://X.X.X.X:636: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1