Installation

LDAP configuration showing users, but not allowing login

andrewdotnich
Explorer

I've configured my Splunk setup to use LDAP, and it shows the few users I've configured to meet my criteria in the list (see http://imgur.com/l5iTu)

If, however, I try to log on using the correct LDAP credentials, I receive "Invalid username and password" error. If after that I log in as admin again, the user I attempted to log in as has disappeared from the list (see http://imgur.com/tUIDz)

EDIT: Resynching the user list via the manager causes the username to reappear (curiouser and curiouser)

I'm running on an Enterprise License (albeit it a trial one) -- there aren't any policy reasons why this behaviour would occur, are there?

EDIT #2: Here's my authentication.conf:

[authentication]
authSettings = mycompany LDAP
authType = LDAP

[mycompany LDAP]
SSLEnabled = 0
bindDNpassword = $1$sQ==
charset = utf8
groupBaseDN = ou=Group,dc=mycompany,dc=com
groupBaseFilter = (cn=splunk*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.int.mycompany.com
port = 389
realNameAttribute = displayname
userBaseDN = dc=mycompany,dc=com
userBaseFilter = (ou=People)
userNameAttribute = uid

[roleMap]
admin = splunk-admin
splunk-admin = splunk-admin
splunk-dev-viewers = splunk-dev-viewers
splunk-ops-viewers = splunk-ops-viewers
splunk-report-builders = splunk-report-builders
splunk_qa_viewers = splunk-qa-viewers
user = People;splunk-admin;splunk-dev-viewers;splunk-ops-viewers;splunk-qa-viewers;splunk-report-builders

And here's my LDAP entry as an example:

# andrewn, People, mycompany.com
dn: cn=andrewn,ou=People,dc=mycompany,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: andrewn
uid: andrewn
givenName: Andrew
sn: Nicholson
homeDirectory: /home/andrewn
gecos: Andrew Nicholson
l: Melbourne
st: Victoria
uidNumber: xxxx
displayName: Andrew Nicholson
mail: andrew.nicholson@mycompany.com
employeeType: Employee
gidNumber: xxxxx
loginShell: /bin/bash
shadowLastChange: xxxxx

And one of our LDAP groups:

# splunk-admin, Group, mycompany.com
dn: cn=splunk-admin,ou=Group,dc=mycompany,dc=com
cn: splunk-admin
objectClass: groupOfNames
objectClass: top
description: Splunk Administrators
member: cn=xxxxxxx,ou=People,dc=mycompany,dc=com
member: cn=andrewn,ou=People,dc=mycompany,dc=com
member: cn=xxxxxxxx,ou=People,dc=mycompany,dc=com
Tags (2)
0 Karma
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

It could be that groupBaseDN is properly configured, but the userBaseDN is not. Support has seen issues with users disappearing in the manner you describe in the past.

Take a look at the following url:

http://www.splunk.com/base/Documentation/4.1.4/Admin/SetupuserauthenticationwithLDAP#Configure_LDAP

Review the 'Test your LDAP configuration' section. This should be helpful in pointing out whatever variance may exist between groupBaseCN and userBaseDN.

Based on what I see in your configuration, I would suggest a couple of changes to authentication.conf:

  1. Edit your userBaseDN to look like this:

    userBaseDN = ou=People,dc=mycompany,dc=com

  2. Remove this line:

    userBaseFilter = (ou=People)

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

It could be that groupBaseDN is properly configured, but the userBaseDN is not. Support has seen issues with users disappearing in the manner you describe in the past.

Take a look at the following url:

http://www.splunk.com/base/Documentation/4.1.4/Admin/SetupuserauthenticationwithLDAP#Configure_LDAP

Review the 'Test your LDAP configuration' section. This should be helpful in pointing out whatever variance may exist between groupBaseCN and userBaseDN.

Based on what I see in your configuration, I would suggest a couple of changes to authentication.conf:

  1. Edit your userBaseDN to look like this:

    userBaseDN = ou=People,dc=mycompany,dc=com

  2. Remove this line:

    userBaseFilter = (ou=People)

andrewdotnich
Explorer

Thank you very much, that did indeed solve the problem 🙂

0 Karma

ziegfried
Influencer

What kind of LDAP server are you using? It would also be helpful to show your LDAP configuartion.

0 Karma

andrewdotnich
Explorer

and yes, the LDAP configuration is enabled.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...