All Apps and Add-ons

Splunk initially connects to OpenLDAP server, but why are users unable to log in with error "Can't contact LDAP server"?

jlbark
Explorer

I have a Splunk server that is trying to authenticate users via SSL to an LDAP server. I followed this documentation pretty closely:

I set the logging level to DEBUG so I can see what is happening under the covers. It looks like SPLUNK is able to initially contact the LDAP server and do some user caching:

...
09-25-2015 15:18:35.576 -0400 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="blah" from strategy="myldap"
09-25-2015 15:18:35.576 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Initializing with LDAPURL="ldaps://ldap1.mydomain.org:636"
09-25-2015 15:18:35.576 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Attempting bind as DN="cn=admin,dc=mydomain,dc=org"
09-25-2015 15:18:35.593 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Bind successful

09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Loading entry attributes for DN="uid=blah,ou=people,dc=mydomain,dc=org"
09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Adding attribute="cn" with value="Blah Blahski"
09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Adding attribute="uid" with value="blah"
09-25-2015 15:18:35.595 -0400 DEBUG AuthenticationManagerLDAP - Attempting to get roles for user="blah" with DN="uid=blah,ou=people,dc=mydomain,dc=org" in strategy="myldap"
09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Attempting to search subtree at DN="ou=group,dc=mydomain,dc=org" using filter="(&(memberuid=blah)(cn=*))"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Search duration="807 microseconds"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Loading entry attributes for DN="cn=ccrlog,ou=group,dc=mydomain,dc=org"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Adding attribute="cn" with value="loggers"
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Mapping groups for user="blah" for group DN="cn=loggers,ou=group,dc=mydomain,dc=org"
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Found matching group="loggers" with mapped roles
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Successfully filled info for user="blah" with realname="Blah Blahski" and email="" in strategy="myldap"    

It continues like this for some time with no errors, it maps the groups to splunk roles perfectly. But then it tries to bind with the users credentials:

...
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Caching user="blah" with DN="uid=blah,ou=people,dc=mydomain,dc=org"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Initializing with LDAPURL="ldaps://ldap1.mydomain.org:636"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Attempting bind as DN="uid=blah,ou=people,dc=mydomain,dc=org"
09-25-2015 15:18:35.598 -0400 ERROR ScopedLDAPConnection - strategy="myldap" Error binding to LDAP. reason="Can't contact LDAP server"
...

I know the users password is correct, because I can ssh to any LDAP enabled host with that password, and it works just fine. I know splunk is finding the user, because it is caching it:

09-25-2015 15:29:06.466 -0400 DEBUG AuthenticationManagerLDAP - Listing cached user="blah"

I can run the recomended tests, and they work just fine with the users credentials:

ldapsearch -h ldaps://ldap1.mydomain.org -p 636 -b ou=group,dc=mydomain,dc=org -x -D uid=blah,ou=people,dc=mydomain,dc=org -W "groupNameAttribute"

Information:

Splunk Version: 6.2.1
Operating System: RHEL 6.6
LDAP: OpenLDAP 2.4.39

Configurations:
1. $SPLUNK/etc/openldap/ldap.conf

  TLS_CACERTDIR $SPLUNK/etc/openldap/cacerts
  SASL_NOCANON    off
  URI ldaps://ldap1.mydomain.org ldaps://ldap2.mydomain.org
  BASE dc=mydomain,dc=org
  1. $SPLUNK/etc/system/local/authentication.conf

    [authentication]
    authSettings = myldap
    authType = LDAP

      [myldap]
      SSLEnabled = 1
      anonymous_referrals = 1
      bindDN = cn=admin,dc=mydomain,dc=org
      bindDNpassword = $1$RandomHash
      charset = utf8
      emailAttribute = mail
      groupBaseDN = ou=group,dc=mydomain,dc=org
      groupMappingAttribute = uid
      groupMemberAttribute = memberuid
      groupNameAttribute = cn
      host = ldap1.mydomain.org
      nestedGroups = 0
      network_timeout = 20 
      port = 636
     realNameAttribute = cn
     sizelimit = 1000
     timelimit = 15
     userBaseDN = ou=people,dc=mydomain,dc=org
     userNameAttribute = uid
    
     [roleMap_myldap]
     user = loggers
    

    Any help would be greatly appreciated.

0 Karma

jterry
Splunk Employee
Splunk Employee

ok, so my problem turned out to be that the osx-bundled version of openldap was unnecessarily involving kerberos. i ended up brew-installing a vanilla/newer version & it works fine.

my config files are below:

authentication.conf:

[test_LDAP]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = cn=Manager,dc=splunk,dc=com
bindDNpassword = secret
charset = utf8
emailAttribute = mail
groupBaseDN = ou=groups,dc=splunk,dc=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <YOUR_IP_HERE>
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=users,dc=splunk,dc=com
userNameAttribute = cn

[authentication]
authSettings = test_LDAP
authType = LDAP

[roleMap_test_LDAP]
admin = admin
power = power
user = user

ldif:

#
# create the organization
#
dn: dc=splunk,dc=com
objectClass: dcObject
objectClass: organization
o: splunk

#
# create the group branch
#
dn: ou=groups,dc=splunk,dc=com
objectClass: organizationalunit
ou: groups
description: generic groups branch

#
# create the users branch
#
dn: ou=users,dc=splunk,dc=com
objectClass: organizationalunit
ou: users
description: generic users branch

#
# create user1
#
dn: cn=user1,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: user1
sn: user1
userPassword: {SSHA}JfbsnOFacwlwSjH2IgtGqcgGXqJUfYvR

#
# create user2
#
dn: cn=user2,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: user2
sn: user2
userPassword: {SSHA}SNkjwFLo+e4BVGTMZqx4q5cR51dIQ++b

#
# create power1
#
dn: cn=power1,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: power1
sn: power1
userPassword: {SSHA}7X2tcL+AZSG4FYhYptkfQF7QMejLSUxj

#
# create admin1
#
dn: cn=admin1,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: admin1
sn: admin1
userPassword: {SSHA}L9x9nnPYdFnbNzHr8jaBWFNIjrk3h2Cs

#
# create the regular users group
#
dn: cn=user,ou=groups,dc=splunk,dc=com
objectClass: groupofnames
cn: user
description: the regular users group
member: cn=user1,ou=users,dc=splunk,dc=com
member: cn=user2,ou=users,dc=splunk,dc=com

#
# create the power users group
#
dn: cn=power,ou=groups,dc=splunk,dc=com
objectClass: groupofnames
cn: power
description: the power users group
member: cn=power1,ou=users,dc=splunk,dc=com

#
# create the admin users group
#
dn: cn=admin,ou=groups,dc=splunk,dc=com
objectClass: groupofnames
cn: admin
description: the admin users group
member: cn=admin1,ou=users,dc=splunk,dc=com

slapd.conf:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include     /usr/local/etc/openldap/schema/core.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile     /usr/local/var/run/slapd.pid
argsfile    /usr/local/var/run/slapd.args

# Load dynamic backend modules:
modulepath  /usr/local/Cellar/openldap/2.4.41_1/libexec/openldap
moduleload  back_bdb.la
moduleload  back_hdb.la
moduleload  back_ldap.la
moduleload  back_mdb.la

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#       Allow self write access
#       Allow authenticated users read access
#       Allow anonymous users to authenticate
#   Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

#database   bdb
database    mdb
suffix      "dc=splunk,dc=com"
rootdn      "cn=Manager,dc=splunk,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw     secret
rootpw      {SSHA}y3IN0Qc7ajG7vHo4ymMcZSG59Yivy4Jn
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /usr/local/var/openldap-data
# Indices to maintain
index   objectClass eq

good luck,
j

0 Karma

jterry
Splunk Employee
Splunk Employee

i'm not using kerberos either. You might try removing SSL from the equation 1st. to narrow the scope a bit.

0 Karma

jlbark
Explorer

Thanks for the Tip... I hope this helps someone. I am not using Kerberos though.

0 Karma

jlbark
Explorer

Also I think one of the main differences is that I am using SSL.

0 Karma

jterry
Splunk Employee
Splunk Employee

i'm working on this problem as well. i'll post back if i find anything useful.

0 Karma

jlbark
Explorer

Wow...Glad I could get some help on this...LOL....I guess Splunk answers is not very active.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...