Deployment Architecture

Why am I unable to see all LDAP users under Access Controls?

pkeller
Contributor

Running Splunk 6.4.3 in a Search Head Cluster using AD/Ldap authentication.

A user contacted me about adding some capabilities. When I looked under: Access Controls -> Users, I could not find that the person's ID was visible. However when I search audit.log I see that he has logged in.

Additionally when I search: | rest /services/admin/users | search roles=his_role | stats values(realname) I see a list of about 365 names, (alphabetical by first name), which scrolls to the letter R or sometimes S, but seems to leave off the names towards the end of the alphabet.

So, I'm wondering if there's some sort of limit to the number of names that the rest call or the UI Access Controls module. As I mentioned at the top: The person, who's firstname starts with "V" can login, he's just not referenceable, so I can't look at his inherited roles and/or capabilities.

Thank you.

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

View solution in original post

gjanders
SplunkTrust
SplunkTrust

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

sk314
Builder

Did you check this(Access Controls -> Users) on each member of your SH cluster? AFAIK - only the one that he connected to will have those details.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...