Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to see all LDAP users under Access Controls?

pkeller
Contributor
‎11-10-2016 03:29 PM

Running Splunk 6.4.3 in a Search Head Cluster using AD/Ldap authentication.

A user contacted me about adding some capabilities. When I looked under: Access Controls -> Users, I could not find that the person's ID was visible. However when I search audit.log I see that he has logged in.

Additionally when I search: | rest /services/admin/users | search roles=his_role | stats values(realname) I see a list of about 365 names, (alphabetical by first name), which scrolls to the letter R or sometimes S, but seems to leave off the names towards the end of the alphabet.

So, I'm wondering if there's some sort of limit to the number of names that the rest call or the UI Access Controls module. As I mentioned at the top: The person, who's firstname starts with "V" can login, he's just not referenceable, so I can't look at his inherited roles and/or capabilities.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-10-2016 07:27 PM

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-10-2016 07:27 PM

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

sk314
Builder
‎11-10-2016 04:23 PM

Did you check this(Access Controls -> Users) on each member of your SH cluster? AFAIK - only the one that he connected to will have those details.

Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...