Security

AD Impossible Authentication even if groups are retrieved

rxlsplunk
New Member

We are trying to add LDAP accounts in our Splunk Enterprise 7.0.1
We can see that Splunk is retrieving the groups and the users of the groups (in Map Groups) but even after adding all the roles, it is impossible to login with an AD user.

The users don't appear in the Users menu.

Here is our configuration :

[authentication]
authSettings = TEST
authType = LDAP

[roleMap_TEST]
admin = ADMIN_AD
can_delete = ADMIN_AD
power = ADMIN_AD
splunk-system-role = ADMIN_AD
test_syslog = ADMIN_AD
user = ADMIN_AD
windows-admin = ADMIN_AD
winfra-admin = ADMIN_AD

[TEST]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = account
bindDNpassword = pass
charset = utf8
emailAttribute = mail
groupBaseDN = OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX
groupMappingAttribute = distinguishedname
groupMemberAttribute = member
groupNameAttribute = cn
host = hostname
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 20000
timelimit = 15
userBaseDN = OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX
userNameAttribute = samaccountname

Here are the relevant logs that we found in splunkd.log (we've already tried to increase the size limit):

01-11-2018 11:17:10.503 +0100 WARN ScopedLDAPConnection - strategy="TEST" LDAP Server returned warning in search for DN="OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX". reason="Size limit exceeded"
01-11-2018 11:17:10.505 +0100 WARN ScopedLDAPConnection - strategy="TEST" LDAP Server returned warning in search for DN="OU=XXX,OU=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX". reason="Size limit exceeded"
01-11-2018 11:17:38.736 +0100 INFO AuthenticationManagerLDAP - Could not find user="adminuser" with strategy="TEST"
01-11-2018 11:17:38.736 +0100 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="adminuser" on any configured servers
01-11-2018 11:17:38.736 +0100 ERROR UiAuth - user=adminuser action=login status=failure reason=user-initiated useragent="xx" clientip=XX.XX.XX.XX

Thank you

Tags (1)
0 Karma

nickhills
Ultra Champion

I just took another look at your config.

You have groupMappingAttribute = distinguishedname
Try : groupMappingAttribute = dn

If my comment helps, please give it a thumbs up!
0 Karma

rxlsplunk
New Member

Thanks, I've tried it, it still doesn't work.

0 Karma

nickhills
Ultra Champion

Here is my working config - there are a few differences, but that may be due to your redaction etc.

[my_scheme]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=Splunk User,OU=Splunk,OU=SomeOU,OU=SomeOU,DC=domain,DC=com
bindDNpassword = $1$someencryptedPassword=
charset = utf8
emailAttribute = mail
groupBaseDN = DC=domain,DC=com
groupBaseFilter = (CN=splunk_*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc.domain.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = OU=my_users,DC=domain,DC=com
userNameAttribute = samaccountname

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

Clearly you groupbaseDN is correct, as you can map groups, but you should also confirm that your userBaseDN would include the relevant user accounts.

In a complex AD structure this is easy to overlook.

The second issue is the report that the LDAP server is hitting the 1000 result limit.
This is not the limit in Splunk (which you can also set) but a Domain Controller limitation.

If you directory has more than 1000 users, its possible that your users are not in the first 1000 results returned by the DC, and thus never get 'found'

There are two options available to you:
1.) Adjust the AD limit of 1000 results - but be aware this can impact your AD for very large queries:
https://blogs.technet.microsoft.com/qzaidi/2010/09/01/override-the-hardcoded-ldap-query-limits-intro...
2.) Narrow your userBaseDN to limit the number of users < 1000

If my comment helps, please give it a thumbs up!
0 Karma

rxlsplunk
New Member

We are sure that our userBaseDN includes the relevant user account.

In the selected OU we don't have more that 1000 objects so I'm not sure to understand why we exceed the limit.

Thanks anyway

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...