Deployment Architecture

How to use my LDAP strategy to add all users in a domain to Splunk?

Jarohnimo
Builder

We have a Domain of about 40K users, and we would like to open Splunk up to the Search Head Cluster to all users within the domain.

What I've done so far, is add each OU where users resides MyDomain>EastCoast>HQ>EndUsers

There tons of OU's with other users in different places, example MyDomain>WestCoast>LA>EndUsers

Instead of adding thousands of EndUsers Distinguished names, is there a way I can just grab all users within the domain. This will save me lots of time!!!

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

You would have to put all users in one group and then map that group to the role. You don't have to provide every dn for every user. Let's assume you only have 10 groups, you could map them all to the same role.

Setting up the ldap strategy would be like any other generic ldap strategy, but your role map would look something like this:

[rolemap_LDAPSTRATEGYNAME]
user = aLDAPgroupName; bLDAPgroupname, securityTeamGroupName; etc

View solution in original post

aaraneta_splunk
Splunk Employee
Splunk Employee

@Jarohnimo - Looks like you have a couple of good suggestions/solutions to your question. If one of them provided a solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma

lycollicott
Motivator

This is a very bad idea my friend. @DalJeanis speaks the truth.

jkat54
SplunkTrust
SplunkTrust

You would have to put all users in one group and then map that group to the role. You don't have to provide every dn for every user. Let's assume you only have 10 groups, you could map them all to the same role.

Setting up the ldap strategy would be like any other generic ldap strategy, but your role map would look something like this:

[rolemap_LDAPSTRATEGYNAME]
user = aLDAPgroupName; bLDAPgroupname, securityTeamGroupName; etc

jkat54
SplunkTrust
SplunkTrust

And I second what DalJeanis said... You probably do not want 40k users having access to you splunk. Architecturally speaking you'd need a huge SHC to support that many users even if only 10% of them were concurrent users.

DalJeanis
SplunkTrust
SplunkTrust

Two caveats and a wild guess first -

CAVEAT ONE: There is a precept in data governance and data security that users should only have access to the data required to do their jobs, and no more. This isn't just a philosophy for bean counters and anal retentives. There are Federal laws US and extra-national laws and various potential penalties involved.

So, presumably the splunk search head and indexes that you are opening up are relevant to every employee in that domain, otherwise, any large company would have a data security policy that would strictly prohibit doing what you are asking.

CAVEAT TWO: Predicting usage of a tool like splunk is an art and a craft. Letting 40K untrained new users suddenly access your search head is a bit like playing golf in the middle of the Indy 500.

WILD GUESS: I suspect that the idea of adding all 40K Domain employees onto splunk may have been an organizational reaction to the annoying work of having to grant access one-at-a-time to individuals. Creative programmers often hate admin-type work, so, why not add EVERYBODY ALL AT ONCE and never have to do any admin ever again? Am I close, here?


NOW THE ANSWER:

That all being said, if you have 40K employees in that domain, your team should interface with the data security team that owns the LDAP and arrange for a periodic extract of the data. That conversation (and the CYA documents you walk out of it with) may in fact keep you employed the next time a security audit comes round.

Jarohnimo
Builder

Thank you for your insight, but perhaps a compromise can be made. It appears that you and I may work in similar fields (not saying anymore) however this isn't a negotiable tasks. Many of the points you've made I've made and the direction is Sally forth...

Dealing with SharePoint People, they import all 40k user no problem, why can't Splunk do it?... So here I am..
. Question I have is, just because all users and groups are impprted doesn't mean all users have access right?. It's still controlled through mapping each group to a role in splunk and we'd like to do that based on request. Mapping each LDAP isn't practical to the org I work for

But You've made some great points. I will regurgate them in a meeting today.

0 Karma

Jarohnimo
Builder

Import and access are two very different things I'm SharePoint. I think your confused on what I'm talking about.

User profile sync can import all the profiles but doesn't automatically give access to any site in SharePoint.

Thank you

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Heh. I can tell you that at US financial organizations, Sharepoint is very restricted. The idea that all users might have access to everything on Sharepoint is just wrong. Ditto splunk.

The 40K users need to be in AD groups, and the AD groups need to be given appropriate roles in splunk. The individual user ids shouldn't be involved.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...