Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
All Apps and Add-ons
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk initially connects to OpenLDAP server, but ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk initially connects to OpenLDAP server, but why are users unable to log in with error "Can't contact LDAP server"?
jlbark
Explorer
09-25-2015
12:35 PM
I have a Splunk server that is trying to authenticate users via SSL to an LDAP server. I followed this documentation pretty closely:
I set the logging level to DEBUG so I can see what is happening under the covers. It looks like SPLUNK is able to initially contact the LDAP server and do some user caching:
...
09-25-2015 15:18:35.576 -0400 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="blah" from strategy="myldap"
09-25-2015 15:18:35.576 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Initializing with LDAPURL="ldaps://ldap1.mydomain.org:636"
09-25-2015 15:18:35.576 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Attempting bind as DN="cn=admin,dc=mydomain,dc=org"
09-25-2015 15:18:35.593 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Bind successful
09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Loading entry attributes for DN="uid=blah,ou=people,dc=mydomain,dc=org"
09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Adding attribute="cn" with value="Blah Blahski"
09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Adding attribute="uid" with value="blah"
09-25-2015 15:18:35.595 -0400 DEBUG AuthenticationManagerLDAP - Attempting to get roles for user="blah" with DN="uid=blah,ou=people,dc=mydomain,dc=org" in strategy="myldap"
09-25-2015 15:18:35.595 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Attempting to search subtree at DN="ou=group,dc=mydomain,dc=org" using filter="(&(memberuid=blah)(cn=*))"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Search duration="807 microseconds"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Loading entry attributes for DN="cn=ccrlog,ou=group,dc=mydomain,dc=org"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Adding attribute="cn" with value="loggers"
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Mapping groups for user="blah" for group DN="cn=loggers,ou=group,dc=mydomain,dc=org"
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Found matching group="loggers" with mapped roles
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Successfully filled info for user="blah" with realname="Blah Blahski" and email="" in strategy="myldap"
It continues like this for some time with no errors, it maps the groups to splunk roles perfectly. But then it tries to bind with the users credentials:
...
09-25-2015 15:18:35.596 -0400 DEBUG AuthenticationManagerLDAP - Caching user="blah" with DN="uid=blah,ou=people,dc=mydomain,dc=org"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Initializing with LDAPURL="ldaps://ldap1.mydomain.org:636"
09-25-2015 15:18:35.596 -0400 DEBUG ScopedLDAPConnection - strategy="myldap" Attempting bind as DN="uid=blah,ou=people,dc=mydomain,dc=org"
09-25-2015 15:18:35.598 -0400 ERROR ScopedLDAPConnection - strategy="myldap" Error binding to LDAP. reason="Can't contact LDAP server"
...
I know the users password is correct, because I can ssh to any LDAP enabled host with that password, and it works just fine. I know splunk is finding the user, because it is caching it:
09-25-2015 15:29:06.466 -0400 DEBUG AuthenticationManagerLDAP - Listing cached user="blah"
I can run the recomended tests, and they work just fine with the users credentials:
ldapsearch -h ldaps://ldap1.mydomain.org -p 636 -b ou=group,dc=mydomain,dc=org -x -D uid=blah,ou=people,dc=mydomain,dc=org -W "groupNameAttribute"
Information:
Splunk Version: 6.2.1
Operating System: RHEL 6.6
LDAP: OpenLDAP 2.4.39
Configurations:
1. $SPLUNK/etc/openldap/ldap.conf
TLS_CACERTDIR $SPLUNK/etc/openldap/cacerts
SASL_NOCANON off
URI ldaps://ldap1.mydomain.org ldaps://ldap2.mydomain.org
BASE dc=mydomain,dc=org
$SPLUNK/etc/system/local/authentication.conf
[authentication]
authSettings = myldap
authType = LDAP[myldap] SSLEnabled = 1 anonymous_referrals = 1 bindDN = cn=admin,dc=mydomain,dc=org bindDNpassword = $1$RandomHash charset = utf8 emailAttribute = mail groupBaseDN = ou=group,dc=mydomain,dc=org groupMappingAttribute = uid groupMemberAttribute = memberuid groupNameAttribute = cn host = ldap1.mydomain.org nestedGroups = 0 network_timeout = 20 port = 636 realNameAttribute = cn sizelimit = 1000 timelimit = 15 userBaseDN = ou=people,dc=mydomain,dc=org userNameAttribute = uid [roleMap_myldap] user = loggersAny help would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jterry
Splunk Employee
10-06-2015
05:22 PM
ok, so my problem turned out to be that the osx-bundled version of openldap was unnecessarily involving kerberos. i ended up brew-installing a vanilla/newer version & it works fine.
my config files are below:
authentication.conf:
[test_LDAP]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = cn=Manager,dc=splunk,dc=com
bindDNpassword = secret
charset = utf8
emailAttribute = mail
groupBaseDN = ou=groups,dc=splunk,dc=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <YOUR_IP_HERE>
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=users,dc=splunk,dc=com
userNameAttribute = cn
[authentication]
authSettings = test_LDAP
authType = LDAP
[roleMap_test_LDAP]
admin = admin
power = power
user = user
ldif:
#
# create the organization
#
dn: dc=splunk,dc=com
objectClass: dcObject
objectClass: organization
o: splunk
#
# create the group branch
#
dn: ou=groups,dc=splunk,dc=com
objectClass: organizationalunit
ou: groups
description: generic groups branch
#
# create the users branch
#
dn: ou=users,dc=splunk,dc=com
objectClass: organizationalunit
ou: users
description: generic users branch
#
# create user1
#
dn: cn=user1,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: user1
sn: user1
userPassword: {SSHA}JfbsnOFacwlwSjH2IgtGqcgGXqJUfYvR
#
# create user2
#
dn: cn=user2,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: user2
sn: user2
userPassword: {SSHA}SNkjwFLo+e4BVGTMZqx4q5cR51dIQ++b
#
# create power1
#
dn: cn=power1,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: power1
sn: power1
userPassword: {SSHA}7X2tcL+AZSG4FYhYptkfQF7QMejLSUxj
#
# create admin1
#
dn: cn=admin1,ou=users,dc=splunk,dc=com
objectClass: top
objectClass: person
cn: admin1
sn: admin1
userPassword: {SSHA}L9x9nnPYdFnbNzHr8jaBWFNIjrk3h2Cs
#
# create the regular users group
#
dn: cn=user,ou=groups,dc=splunk,dc=com
objectClass: groupofnames
cn: user
description: the regular users group
member: cn=user1,ou=users,dc=splunk,dc=com
member: cn=user2,ou=users,dc=splunk,dc=com
#
# create the power users group
#
dn: cn=power,ou=groups,dc=splunk,dc=com
objectClass: groupofnames
cn: power
description: the power users group
member: cn=power1,ou=users,dc=splunk,dc=com
#
# create the admin users group
#
dn: cn=admin,ou=groups,dc=splunk,dc=com
objectClass: groupofnames
cn: admin
description: the admin users group
member: cn=admin1,ou=users,dc=splunk,dc=com
slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/Cellar/openldap/2.4.41_1/libexec/openldap
moduleload back_bdb.la
moduleload back_hdb.la
moduleload back_ldap.la
moduleload back_mdb.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
#database bdb
database mdb
suffix "dc=splunk,dc=com"
rootdn "cn=Manager,dc=splunk,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw secret
rootpw {SSHA}y3IN0Qc7ajG7vHo4ymMcZSG59Yivy4Jn
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
good luck,
j
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jterry
Splunk Employee
10-07-2015
10:10 AM
i'm not using kerberos either. You might try removing SSL from the equation 1st. to narrow the scope a bit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jlbark
Explorer
10-07-2015
06:03 AM
Thanks for the Tip... I hope this helps someone. I am not using Kerberos though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jlbark
Explorer
10-07-2015
06:16 AM
Also I think one of the main differences is that I am using SSL.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jterry
Splunk Employee
10-05-2015
02:59 PM
i'm working on this problem as well. i'll post back if i find anything useful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jlbark
Explorer
10-05-2015
02:53 PM
Wow...Glad I could get some help on this...LOL....I guess Splunk answers is not very active.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
