Splunk Search

Why can't I delete my LDAP strategy?

vanderaj2
Path Finder

Just wanted to run this one by the Splunk community to see if anyone else has experienced this before:

-Earlier this week, I attempted to delete my LDAP strategy on one of my Search Heads

-When I clicked delete, I got an error message. Something like "Error occurred attempting to remove BDC_AD: In handler 'LDAP-auth': Does not exist: /nobody/system/authentication/BDC_AD"

-When I check /opt/splunk/etc/system/local/authentication.conf - I don't see my strategy that I tried to delete showing up. However, that strategy still appears in the Splunk Web UI.

-Furthermore, now the service account I use to connect to LDAP keeps locking out, due to invalid credentials.

What could be causing this LDAP strategy to persist and lock out my service account??

Thanks!

Tags (1)
0 Karma
1 Solution

vanderaj2
Path Finder

I think this problem is solved. The LDAP strategies kept showing up in the Web UI because they were being pushed via a deployment app.

The credential lockout issue had to do with me removing the bindDNpassword value from out of /opt/splunk/etc/system/local/authentication.conf in my attempts to get the LDAP strategies to disappear from the Web UI (not realizing that they were showing up as a result of an authentication.conf from a deployment app).

View solution in original post

0 Karma

vanderaj2
Path Finder

I think this problem is solved. The LDAP strategies kept showing up in the Web UI because they were being pushed via a deployment app.

The credential lockout issue had to do with me removing the bindDNpassword value from out of /opt/splunk/etc/system/local/authentication.conf in my attempts to get the LDAP strategies to disappear from the Web UI (not realizing that they were showing up as a result of an authentication.conf from a deployment app).

0 Karma

woodcock
Esteemed Legend

That's funny!

0 Karma

vanderaj2
Path Finder

Update - I decided to run btool to figure out where authentication.conf settings were specified. Looks like someone had set up a deployment app for authentication.conf that gets pushed to all the search heads.

So things like passwords and mappings appear to be set in /opt/splunk/etc/system/local/authentication.conf, but other settings are specified in the authentication.conf that comes from the deployment app.

....more to come

0 Karma

jkat54
SplunkTrust
SplunkTrust

did you restart splunk yet? If not, it's possible someone manually removed the config from authentication.conf, but didnt restart, and so the configuration is persisting in memory.

Also see what this gives you

./splunk btool authentication list --debug

You may find you have the ldap strategy configured in a different authentication.conf.

0 Karma

vanderaj2
Path Finder

Good call on the btool suggestion!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk Life | Splunk is Officially Part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint. Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...