All Apps and Add-ons
Highlighted

Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

Hi all,

Installed SA-ldapsearch and it works perfectly for my account. I told the users to go ahead and start using it but they are returned the following red banner message:

External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/apps/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1108 : HTTP 403 Forbidden -- In handler 'passwords': You (user=testuser) do not have permission to perform this operation (requires capability: adminallobjects)." "

I have adjusted the app permissions to allow read and write permissions to all users. I have looked through the scripts to the best of my ability but am unable to locate the parameter to requires adminallobjects to execute. Anyone have an idea of where I can find the config and what I need to change it to - to allow all users to be able to execute the SA-ldapsearch commands?

Thanks in advance,
George

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

Forgot to mention, running version 2.0.0

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

We use Splunk's storage passwords endpoint to read/write passwords. This endpoint cannot be accessed by users without adminallobjects capability. You might wish to create a new role for this. You might, for example, create an "SA-ldapsearch user" role that inherits from user and adds the adminallobjects capability.

The adminallobjects capability grants users significant access rights:

  • A role with this capability has access to objects in the system (user objects, search jobs, etc.).
  • This bypasses any ACL restrictions (similar to root access in a *nix environment).
  • We check this capability when accessing manager pages and objects.

See the authorize.conf spec for additional information.

We are considering developing an alternative to the storage password endpoint for securely storing credentials in a future release of the Splunk Support Add-on for Active Directory; one that would not require adminallobjects capability. Please stay tuned.

View solution in original post

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

Thank you for the response, I understand the limitations and hope that Splunk is able to work around this, In our situation we use a read-only account to query LDAP and need a wide range of users to be able to execute these commands in Splunk - a range of users that we wouldn't want to give adminallobjects capabilities to.

Would we be able to get someone to update the documentation and add this to the "About" section or maybe the release notes? Reading this before I tested and deployed would have saved me and others some time.

Thanks for the assistance,
George

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Motivator

Has anyone found a way around this requirement? This is a seriously bad design choice. Fix a potential security issue by allowing everyone the equivalent of root access?

Hashed local password storage for your ldap servers were much better than having users changing/deleting whatever they like across your platform just to access a custom command 😕

We just has a user reconfigure a heap of server level options on our clustered search heads. It was only when they said "why doesn't X" work did we find out that they'd believed they were changing options just for themselves.

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

See my response below.

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Explorer

Great app but I can't allow my users to use it... will this ever be fixed?

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

We are considering developing an alternative to the storage password endpoint for securely storing credentials in a future release of the Splunk Support Add-on for Active Directory; one that would not require adminallobjects capability. Please stay tuned.

Any update about fixing this?

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Contributor

We are considering developing an alternative to the storage password endpoint for securely storing credentials in a future release of the Splunk Support Add-on for Active Directory; one that would not require adminallobjects capability. Please stay tuned.

Is this corrected?

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

jaxjohnny2000,

It has been not. Splunk only gave it lip service but have done nothing about it in the 5 years the problem was first brought up. In secure environments such as I work in now and in the past the "workarounds" proposed by others are not allowed. It is one reason why we have been looking to drop Splunk as our main tool on our 3 major networks.