Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

User has matching LDAP groups, but none are mapped to Splunk roles

adamblock1
Explorer
‎05-11-2015 10:24 AM

I am in the process of deploying Splunk 6.2.3, and am attempting to create LDAP integration and role mapping remotely - on the deployment server.

If I look at "Access controls/users" from within the GUI on the Search Head, I see the LDAP users and their assigned roles. I attempted to authenticate, and the error "user="username" has matching LDAP groups with strategy="DSAuth", but none are mapped to Splunk roles." Subsequent to this, if I return to "Access controls/users", my user-id is no longer listed.

If I go to "Access controls/Authentication method/LDAP strategies/LDAP Groups", and browse for the LDAP Group Names which contain Splunk users, the "Roles" column is blank. If I manually map the LDAP Group Name to the desired Role, I am then able to authenticate without issue.

Any assistance with diagnosing this Role mapping issue would be greatly appreciated.

Thank you.

0 Karma
Reply

crash1011
Explorer
‎01-13-2016 09:05 PM

From another post - made it blank and it worked!

The Group Mapping attribute in AD should be left blank, or set to "distinguishedName" or "dn". This attribute specifies what field within the user record maps to the Group Member Attribute within the group. In AD (and LDAP in general) groups are not stored on the user object, but on the group object. The AD users memberof attribute is a synthetic attribute based on the group member attribute

0 Karma
Reply

MartinMcNutt
Communicator
‎05-11-2015 10:47 AM

For each strategy you have defined you must click map groups and assign the role to the group.

If you have 10 strats and a a group called Splunk-admins. That will be 10 group mappings you must perform for splunk-admins.

0 Karma
Reply

adamblock1
Explorer
‎05-11-2015 10:50 AM

I have these manually mapped in a "local/authentication.conf" file which resides on the deployment server. Will this not map the groups/roles properly?

0 Karma
Reply

adamblock1
Explorer
‎05-11-2015 10:58 AM

The following is a quote from the documentation (http://docs.splunk.com/Documentation/Splunk/6.2.3/Security/ConfigureLDAPwithconfigurationfiles#Map_g...

Map groups to roles

To map Splunk roles to a strategy's LDAP groups, you need to set up a roleMap stanza for that strategy. Each strategy requires its own roleMap stanza. This example maps roles for groups in the "ldaphost1" strategy:

[roleMap_ldaphost1]
admin = SplunkAdmins
itusers = ITAdmins

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...