Archive

User has matching LDAP groups, but none are mapped to Splunk roles

Explorer

I am in the process of deploying Splunk 6.2.3, and am attempting to create LDAP integration and role mapping remotely - on the deployment server.

If I look at "Access controls/users" from within the GUI on the Search Head, I see the LDAP users and their assigned roles. I attempted to authenticate, and the error "user="username" has matching LDAP groups with strategy="DSAuth", but none are mapped to Splunk roles." Subsequent to this, if I return to "Access controls/users", my user-id is no longer listed.

If I go to "Access controls/Authentication method/LDAP strategies/LDAP Groups", and browse for the LDAP Group Names which contain Splunk users, the "Roles" column is blank. If I manually map the LDAP Group Name to the desired Role, I am then able to authenticate without issue.

Any assistance with diagnosing this Role mapping issue would be greatly appreciated.

Thank you.

0 Karma

Explorer

From another post - made it blank and it worked!

The Group Mapping attribute in AD should be left blank, or set to "distinguishedName" or "dn". This attribute specifies what field within the user record maps to the Group Member Attribute within the group. In AD (and LDAP in general) groups are not stored on the user object, but on the group object. The AD users memberof attribute is a synthetic attribute based on the group member attribute

0 Karma

Communicator

For each strategy you have defined you must click map groups and assign the role to the group.

If you have 10 strats and a a group called Splunk-admins. That will be 10 group mappings you must perform for splunk-admins.

0 Karma

Explorer

I have these manually mapped in a "local/authentication.conf" file which resides on the deployment server. Will this not map the groups/roles properly?

0 Karma

Explorer

The following is a quote from the documentation (http://docs.splunk.com/Documentation/Splunk/6.2.3/Security/ConfigureLDAPwithconfigurationfiles#Map_g...

Map groups to roles

To map Splunk roles to a strategy's LDAP groups, you need to set up a roleMap stanza for that strategy. Each strategy requires its own roleMap stanza. This example maps roles for groups in the "ldaphost1" strategy:

[roleMap_ldaphost1]
admin = SplunkAdmins
itusers = ITAdmins

0 Karma