Performing a Splunk install at the moment and we have configured splunk to connect LDAP to the local Active Directory server, which we presume is successful (nothing erroneous appears in the logs, at least).
We can see the groups to map roles but mapping a roles to a group then does not have any further affect.
For instance, on another Splunk instance connecting to another DC, mapping the roles pulls the users in the relevant groups into the Manager // Users section and they are able to log in. On the new instance nothing apart from the local Splunk admin account appears. We have restarted splunk several times and test with ldapsearch and the queries are successful. Anyone have any ideas?
a good place to start would be to search for any LDAP related messages in splunkd.log:
index=_internal source=*splunkd.log* component="AuthenticationManagerLDAP"
Also, keep in mind that empty LDAP Groups will not show up in Splunk, you will need at least one object in the LDAP group.
Last but not least, I simply assume your Splunk server is able to connect to the AD (excluding any routing, network, firewall troubles).
hope this helps...
The only things showing from the referenced search above are referring to our attempts to login to accounts we know exist in the LDAP group we have mapped roles for.
11-07-2013 11:47:32.360 +0000 ERROR AuthenticationManagerLDAP - Could not find user="userid" with strategy="ldaphost"
As above, I've tested LDAP connectivity which works, it's just not replicating those users, of which there are 10, into Splunk from the LDAP mapping.
All seems fine in there. Surely if there was a spelling mistake in something simple there (which was created through SplunkWeb for simplicity) the LDAP Groups would not be visible for me to map from?
Is there a step after the mapping that I need to perform perhaps?
being able to see LDAP groups does not mean you will see the user object inside the group, because therefore Splunk will use the User base filter and the User name attribute. While it will use the Static group search filter and the Group name attribute for the groups.
You can verify your user filter setting by running a manual LDAP search using your configured filter.
I can also see the objects/members within the groups both through splunk (while mapping the roles) and through an LDAPSearch tool. The confusing thing is this is a direct copy from another working splunk instance (only thing changing is pointing to a different AD server which has the same users and groups on it)
That's not an option, that server no longer exists. The configuration file points to the new AD controller, which is a direct copy of the old AD.