Archive

LDAP configuration issue

nareshinsvu
Builder

I am trying to set-up LDAP authentication. But not able to proceed with below error when adding new LDAP strategy.
Infra teams confirm on the correctness of the userBaseDN. Need help

Encountered the following error while trying to save: Could not find userBaseDN on the LDAP server: OU=Service accounts,OU=Secured Accounts,OU=Accounts,DC=NTSH,DC=LOCAL

Tags (1)
0 Karma
1 Solution

nareshinsvu
Builder

It worked only after specifying
groupBaseDN - a complete DN (including CN) of my LDAP group
userBaseDN - a complete DN (including CN) of all the users(semicolon seperated) of the group under userBaseDN

Really strange if the documentation is not user friendly OR too many config parameters to setup LDAP. Splunk should have simply asked us to provide LDAP server name and the groupBaseDN. Hope this will be done in future releases.

Thanks all for your inputs.

View solution in original post

0 Karma

nareshinsvu
Builder

It worked only after specifying
groupBaseDN - a complete DN (including CN) of my LDAP group
userBaseDN - a complete DN (including CN) of all the users(semicolon seperated) of the group under userBaseDN

Really strange if the documentation is not user friendly OR too many config parameters to setup LDAP. Splunk should have simply asked us to provide LDAP server name and the groupBaseDN. Hope this will be done in future releases.

Thanks all for your inputs.

View solution in original post

0 Karma

Jarohnimo
Builder

When you're adding your user base and group base DNs are you copying them directly from ADSI edit to ensure you have the full string? The smallest mistake in the DN would cause this error. Verify the DN is correct also that the account your running the LDAP strategy with has Rights to view that AD object. Generally all your AD objects are read only and available.

LDAP strategy can be a pain but understanding that both the users security group and User location can and should be specified when setting things up. I have a feeling splunk isn't lying here..

0 Karma

nareshinsvu
Builder

Yes, I am copying directly from the AD ldap tool - "Right click"-> "Copy DN". But no luck

Do you have working conf file for ldap settings? Maybe I will try to co-relate and see what mistakes I am doing?

0 Karma

Jarohnimo
Builder

Unfortunately mines isn't on a public subnet.

Are you using your domain name as the ldap server name?

Some people put their local domain controller host name or IP. I use the domain name root that way if they change out a domain controller or switch the IP I'm always good. For example: Mydomain.com (whatever your company's logical domain name is) vs servername.

You can test your ldap strategy accounts rights by going to start...run... Type in dsa.msc and run as the ldap strategy binding name. If that account can't view AD objects them that could be your problem. You could try with your own personal admin account (not recommend in the long) but good way to rule out it being the account

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

User which you are using to authentication with LDAP has access to OU=Service accounts,OU=Secured Accounts,OU=Accounts,DC=NTSH,DC=LOCAL ?

0 Karma

nareshinsvu
Builder

Yes, Able to veiw the ldap configurations - Read access.

Do you have working conf file for ldap settings? Maybe I will try to co-relate and see what mistakes I am doing?

0 Karma

nareshinsvu
Builder

Hello Champions - Anyone faced and resolved this issue?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi nareshinsvu,
which Splunk and TA version are you using? two years ago there was a bug on LDAP TA.
Bye.
Giuseppe

0 Karma

nareshinsvu
Builder

I am on almost latest version - 7.2.5

0 Karma