Deployment Architecture

Why am I unable to see all LDAP users under Access Controls?

pkeller
Contributor

Running Splunk 6.4.3 in a Search Head Cluster using AD/Ldap authentication.

A user contacted me about adding some capabilities. When I looked under: Access Controls -> Users, I could not find that the person's ID was visible. However when I search audit.log I see that he has logged in.

Additionally when I search: | rest /services/admin/users | search roles=his_role | stats values(realname) I see a list of about 365 names, (alphabetical by first name), which scrolls to the letter R or sometimes S, but seems to leave off the names towards the end of the alphabet.

So, I'm wondering if there's some sort of limit to the number of names that the rest call or the UI Access Controls module. As I mentioned at the top: The person, who's firstname starts with "V" can login, he's just not referenceable, so I can't look at his inherited roles and/or capabilities.

Thank you.

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

gjanders
SplunkTrust
SplunkTrust

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

sk314
Builder

Did you check this(Access Controls -> Users) on each member of your SH cluster? AFAIK - only the one that he connected to will have those details.

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.