Archive
Highlighted

LDAP configuration issue

Builder

I am trying to set-up LDAP authentication. But not able to proceed with below error when adding new LDAP strategy.
Infra teams confirm on the correctness of the userBaseDN. Need help

Encountered the following error while trying to save: Could not find userBaseDN on the LDAP server: OU=Service accounts,OU=Secured Accounts,OU=Accounts,DC=NTSH,DC=LOCAL

Tags (1)
0 Karma
Highlighted

Re: LDAP configuration issue

Builder

Hello Champions - Anyone faced and resolved this issue?

0 Karma
Highlighted

Re: LDAP configuration issue

Legend

Hi nareshinsvu,
which Splunk and TA version are you using? two years ago there was a bug on LDAP TA.
Bye.
Giuseppe

0 Karma
Highlighted

Re: LDAP configuration issue

Builder

I am on almost latest version - 7.2.5

0 Karma
Highlighted

Re: LDAP configuration issue

SplunkTrust
SplunkTrust

Hi,

User which you are using to authentication with LDAP has access to OU=Service accounts,OU=Secured Accounts,OU=Accounts,DC=NTSH,DC=LOCAL ?

0 Karma
Highlighted

Re: LDAP configuration issue

Builder

Yes, Able to veiw the ldap configurations - Read access.

Do you have working conf file for ldap settings? Maybe I will try to co-relate and see what mistakes I am doing?

0 Karma
Highlighted

Re: LDAP configuration issue

Builder

When you're adding your user base and group base DNs are you copying them directly from ADSI edit to ensure you have the full string? The smallest mistake in the DN would cause this error. Verify the DN is correct also that the account your running the LDAP strategy with has Rights to view that AD object. Generally all your AD objects are read only and available.

LDAP strategy can be a pain but understanding that both the users security group and User location can and should be specified when setting things up. I have a feeling splunk isn't lying here..

0 Karma
Highlighted

Re: LDAP configuration issue

Builder

Yes, I am copying directly from the AD ldap tool - "Right click"-> "Copy DN". But no luck

Do you have working conf file for ldap settings? Maybe I will try to co-relate and see what mistakes I am doing?

0 Karma
Highlighted

Re: LDAP configuration issue

Builder

Unfortunately mines isn't on a public subnet.

Are you using your domain name as the ldap server name?

Some people put their local domain controller host name or IP. I use the domain name root that way if they change out a domain controller or switch the IP I'm always good. For example: Mydomain.com (whatever your company's logical domain name is) vs servername.

You can test your ldap strategy accounts rights by going to start...run... Type in dsa.msc and run as the ldap strategy binding name. If that account can't view AD objects them that could be your problem. You could try with your own personal admin account (not recommend in the long) but good way to rule out it being the account

0 Karma
Highlighted

Re: LDAP configuration issue

Builder

It worked only after specifying
groupBaseDN - a complete DN (including CN) of my LDAP group
userBaseDN - a complete DN (including CN) of all the users(semicolon seperated) of the group under userBaseDN

Really strange if the documentation is not user friendly OR too many config parameters to setup LDAP. Splunk should have simply asked us to provide LDAP server name and the groupBaseDN. Hope this will be done in future releases.

Thanks all for your inputs.

View solution in original post

0 Karma