- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why does Splunk Support for Active Directory 2.1.2...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does Splunk Support for Active Directory 2.1.2 still throw admin_all_capability permissions errors when non-admin users run searches?
Hi All ,
I have installed Splunk Support for Active Directory 2.1.2 in our search head cluster and search peers. Non-admin users are not able to search and getting following error:
File=configuration.py, Line=508, Storage password "SA-ldapsearch:default:" access denied: HTTP 403 Forbidden --
In handler 'passwords': You (user=test) do not have permission to perform this operation (requires capability: admin_all_objects).
Though it is a bad practice, but the password in ldap.conf is in clear text. I thought this issue would have resolved in 2.1.2?
Any ideas ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure that the user that you log into Splunk Enterprise as has the admin_all_objects capability. This capability must be present because the configuration page saves passwords as storage passwords, and only this capability allows users to read storage passwords.
If you cannot grant the admin_all_objects capability, as a workaround, you can use a clear-text password and obfuscate that password with base-64 encoding(password prefixed with {64} will encode). In this case, however, you can not use the configuration page to save the password nor can you test the connection. This is because the configuration page moves any clear-text passwords to storage passwords when you save the configuration.
You must edit ldap.conf with a text editor and save the password(s) that way, and then use the ldaptestconnection command to test the configuration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also I see different passwords in ldap.conf under default stanza(which i am using) and in passwords.conf under [credential:SA-ldapsearch:default:] stanza.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Though I have used test connection via the configuration page. Would even that move my clear-text password to storage password. I can see my clear text password in ldap.conf for now ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already have this fix couple of versions back. In my environment, non-admin users are getting results for ldapsearch command with error
External search command 'ldapsearch' returned error code 1. Script output = " ERROR "000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1" "
While for ldapfilter command no results are returned.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
