Security

AD Impossible Authentication even if groups are retrieved

rxlsplunk
New Member

We are trying to add LDAP accounts in our Splunk Enterprise 7.0.1
We can see that Splunk is retrieving the groups and the users of the groups (in Map Groups) but even after adding all the roles, it is impossible to login with an AD user.

The users don't appear in the Users menu.

Here is our configuration :

[authentication]
authSettings = TEST
authType = LDAP

[roleMap_TEST]
admin = ADMIN_AD
can_delete = ADMIN_AD
power = ADMIN_AD
splunk-system-role = ADMIN_AD
test_syslog = ADMIN_AD
user = ADMIN_AD
windows-admin = ADMIN_AD
winfra-admin = ADMIN_AD

[TEST]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = account
bindDNpassword = pass
charset = utf8
emailAttribute = mail
groupBaseDN = OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX
groupMappingAttribute = distinguishedname
groupMemberAttribute = member
groupNameAttribute = cn
host = hostname
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 20000
timelimit = 15
userBaseDN = OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX
userNameAttribute = samaccountname

Here are the relevant logs that we found in splunkd.log (we've already tried to increase the size limit):

01-11-2018 11:17:10.503 +0100 WARN ScopedLDAPConnection - strategy="TEST" LDAP Server returned warning in search for DN="OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX". reason="Size limit exceeded"
01-11-2018 11:17:10.505 +0100 WARN ScopedLDAPConnection - strategy="TEST" LDAP Server returned warning in search for DN="OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX". reason="Size limit exceeded"
01-11-2018 11:17:38.736 +0100 INFO AuthenticationManagerLDAP - Could not find user="adminuser" with strategy="TEST"
01-11-2018 11:17:38.736 +0100 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="adminuser" on any configured servers
01-11-2018 11:17:38.736 +0100 ERROR UiAuth - user=adminuser action=login status=failure reason=user-initiated useragent="xx" clientip=XX.XX.XX.XX

Thank you

Tags (1)
0 Karma

nickhills
Ultra Champion

I just took another look at your config.

You have groupMappingAttribute = distinguishedname
Try : groupMappingAttribute = dn

If my comment helps, please give it a thumbs up!
0 Karma

rxlsplunk
New Member

Thanks, I've tried it, it still doesn't work.

0 Karma

nickhills
Ultra Champion

Here is my working config - there are a few differences, but that may be due to your redaction etc.

[my_scheme]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=Splunk User,OU=Splunk,OU=SomeOU,OU=SomeOU,DC=domain,DC=com
bindDNpassword = $1$someencryptedPassword=
charset = utf8
emailAttribute = mail
groupBaseDN = DC=domain,DC=com
groupBaseFilter = (CN=splunk_*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc.domain.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=my_users,DC=domain,DC=com
userNameAttribute = samaccountname

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Clearly you groupbaseDN is correct, as you can map groups, but you should also confirm that your userBaseDN would include the relevant user accounts.

In a complex AD structure this is easy to overlook.

The second issue is the report that the LDAP server is hitting the 1000 result limit.
This is not the limit in Splunk (which you can also set) but a Domain Controller limitation.

If you directory has more than 1000 users, its possible that your users are not in the first 1000 results returned by the DC, and thus never get 'found'

There are two options available to you:
1.) Adjust the AD limit of 1000 results - but be aware this can impact your AD for very large queries:
https://blogs.technet.microsoft.com/qzaidi/2010/09/01/override-the-hardcoded-ldap-query-limits-intro...
2.) Narrow your userBaseDN to limit the number of users < 1000

If my comment helps, please give it a thumbs up!
0 Karma

rxlsplunk
New Member

We are sure that our userBaseDN includes the relevant user account.

In the selected OU we don't have more that 1000 objects so I'm not sure to understand why we exceed the limit.

Thanks anyway

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...