We're looking at using a RADIUS server to allow us to use RSA SecurID tokens -- but we've already got LDAP setup for our role mappings from Active Directory.
What we'd like to do is use the RADIUS Authentication App, but once a user is authenticated have it perform it's role mapping based on an LDAP lookup with the username.
Is this something that's configurable in a straightfoward manner? I'm trying to think through how it could be accomplished, but not coming up with anything short of modifying the RADIUS app to do it as part of its script (which we're hoping to avoid if possible).
So, this is very out of date -- but I will say that rather than deal with the custom auth script method and all the fun it entails, we discovered that the FreeIPA project (upstream of Redhat's IdM) has built-in TOTP capabilities, and performs the TOTP+Password checks as part of a single LDAP call.
I'd really recommend using it (or if there is an AD workalike), as Splunk has been much simpler to maintain with LDAP backed roles instead of managing user roles locally.
The app currently allows you to map users to roles using a lookup file. If you can export the role mapping to a lookup file, then you could make this work. Note that there is an app available for editing lookup files in a user interface too (if you want to do it that way).
I'm definitely interested in building something into the app for handling this automatically but I'm not sure how. Let me know if you are aware of a way to export the LDAP user/role mappings and I'll look into adding support for this.
I'm going to look into a bit and see if there's a simple way to do this within python similar to a scripted authentication -- in theory as long as you can do group lookups against LDAP/AD you'd just need to have the right Base DN then do a lookup on the username to see what groups the user is in then have those map to roles similar to how LDAP auth does it currently (which could work via lookup as you describe)
You could use a scheduled search with ldap search command to query a certain groups in ldap and fill up the lookup table that way. Would require the ldap search app to be installed.
This is what I was thinking, but haven't done it yet.
I'm not that familiar with how LDAP authentication works. Do you know if there is a way to see the role/user mapping from within Splunk (or a way to export the role/user mapping to a lookup file)? I don't mind building something into the app to handle this, I'm just not sure how yet.