Hi,
We are getting flooded with error messages from a non-existant LDAP account in our splunkd, and complaints from the siteminder support folks that we are hammering their server. The account does not exist on either search head, and i can't find any searches that are enabled with that user id. Any suggestions on where to look?
11-08-2016 09:49:41.564 -0500 ERROR AuthenticationManagerLDAP - Could not find user="a555740" with strategy="Offshore Power"
11-08-2016 09:49:41.627 -0500 ERROR AuthenticationManagerLDAP - Could not find user="a555740" with strategy="Offshore users"
11-08-2016 09:49:41.642 -0500 ERROR AuthenticationManagerLDAP - Could not find user="a555740" with strategy="azg_EZP-STS-MTS-USER"
11-08-2016 09:49:41.710 -0500 ERROR AuthenticationManagerLDAP - Could not find user="a555740" with strategy="azgEI_SCCM_Splunk_Users"
11-08-2016 09:49:41.713 -0500 ERROR AuthenticationManagerLDAP - Could not find user="a555740" with strategy="azg_EZP-DMT-USER"
11-08-2016 09:49:41.774 -0500 ERROR AuthenticationManagerLDAP - Could not find user="a555740" with strategy="azg_EZP-STS-MTS-USER"
here is some documentation for removing users
http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/BestpracticeforremovinganLDAPuser
Yea, you'll need to check for ANY knowledge objects owned by this user. Remember that they might have some stuff stashed as private that could be getting missed in your searching.