Security & the Enterprise
Much secured. So patch!

Huge amount of requests to LDAP

Dmitrii
Explorer

Hi,

we have splunk cluster with LDAP auth enabled. Authentication is working properly but we have an issue with huge amount of ldap requests - about 2 millions per day. There are 4 search head instances and 1 deployment server. I think splunk requests ldap every minute. In logs there are corresponding events like this:

 

 

....
04-21-2021 12:47:03.662 +0000 DEBUG AuthenticationProviderLDAP - Listing all cached users
04-21-2021 08:47:03.651 -0400 DEBUG AuthenticationProviderLDAP - Listing cached user="xxxxxxxxx"
04-21-2021 08:47:03.651 -0400 DEBUG AuthenticationProviderLDAP - Listing cached user="yyyyyyyyy"
04-21-2021 08:47:03.651 -0400 DEBUG AuthenticationProviderLDAP - Listing cached user="zzzzzzzzz"
04-21-2021 08:47:03.651 -0400 DEBUG AuthenticationProviderLDAP - Listing cached user="aaaaaaaaa"
04-21-2021 08:47:03.651 -0400 DEBUG AuthenticationProviderLDAP - Listing cached user="bbbbbbbbb"
04-21-2021 08:47:03.651 -0400 DEBUG AuthenticationProviderLDAP - Listing cached user="cccccccccc"
04-21-2021 08:47:03.651 -0400 DEBUG AuthenticationProviderLDAP - Listing cached user="dddddddddd"
...

 

 

And the question is: how can we decrease the amount of ldap requests?

 

Update: we sniffed the traffic to ldap server and found out what kinds of requests splunk do. So there are two types of queries:

1. get members of ldap groups from roleMap_xx setting
2. get attributes of every user from the groups

 

So i'm wondering why splunk do this and how can we decrease the amount of these queries?

s2_splunk
Splunk Employee
Splunk Employee

What Splunk Version are you running? 

0 Karma

govardha
Path Finder

Hello @s2_splunk 

I am having the same issue and am on 8.1.3.

Thanks

Tags (1)
0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Yes, as was already pointed out in another response, this is a known issue (SPL-203946) and a fix is currently targeted for the next 8.1 maintenance release (8.1.4). 

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Quick update, ICYMI: 8.1.4 is now GA and has the fix for this issue.

govardha
Path Finder

Hello @s2_splunk @Dmitrii 

I upgraded to 8.1.4 this evening, I will post my experiences tomorrow.  But I also wanted to share another thing which Splunk Support pointed to me which got to the root cause of the problem.

My splunk shd was blasting away anonymous_referrals to my Windows AD LDAP, once I set anonymous_referrals=0 in the authentication.conf things calmed down dramatically.

Thanks again!

g

0 Karma

govardha
Path Finder

Hello @Dmitrii 

I ran into the same issue and I *think* this seems to be a known issue with 8.1.3 and hopefully Splunk will fix it shortly. 

https://docs.splunk.com/Documentation/Splunk/8.1.3/ReleaseNotes/KnownIssues

gov

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure LDAP is not enabled on your indexers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Dmitrii
Explorer

There are no ldap queries from indexers. Only from search heads and deployment server.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I wonder if forwarders phoning home is somehow triggering LDAP requests.  Consider disabling LDAP on the DS.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Dmitrii
Explorer

Thank you for answer.

The most queries are from search heads .

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...