Security

AD / LDAP Authentication Limit issues

Vtesse
Engager

Hi.

I've managed to get my Splunk (5.0.latest) referring to my Active Directory Domain Controllers to allow a number of user logins, however at this time, it is only working if I explicitly specify the User and group DN's on the LDAP config page.

What I'd love to do is have the ldap Plugins simply look at the User OU and Group OU and allow me to then pick which groups I want to map.

I've tried fiddling with the silzelimit and a few other functions, and even pointing at an OU with only 1 user / group, but no matter what is tried, I always get the Query Size Limit Exceeded error.

Any ideas how I can resolve this issue?
Here is an example of a working section of the Authentication.conf:
[Admin Users]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=Splunk ldap,OU=Service Accounts,OU=STUFF,DC=DOMAIN,DC=ltd
bindDNpassword = blah
charset = utf8
groupBaseDN = CN=Splunk Sysadmins,OU=User Groups,OU=STUFF,DC=DOMAIN,DC=ltd
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = 10.100.100.11
nestedGroups = 1
network_timeout = 20
port = 3269
realNameAttribute = name
sizelimit = 10000
timelimit = 15
userBaseDN = CN=ME, CN=Users,DC=Vtesse,DC=ltd
userNameAttribute = samaccountname

TIA

0 Karma

s72ucor
Explorer

I've noticed that if I create an AD group for specific access (i.e. users) and then add users to that group I can get this to work; however, I needed to define the group by editing "/etc/syslog/local/authentication.conf" via the CLI. Even if I edit the configuration file and set the limit to 1000+,10000+,100000+,1000000+ it doesn't change the behavior. This makes me think that the issue isn't a LDAP issue, rather a GUI issue. I noticed that even with the limit change the GUI still only shows 1000 entries. Here's what I did to make things work:

  • Configure the "LDAP strategy" via the GUI.
  • Edit /etc/syslog/local/authentication.conf"
  • Under the LDAP definition create your user access similar to the following:

[roleMap_LDAPStrategyName]

user = LDAPGroupName

  • Restart Splunk

Once I created the new AD config and defined the users via the CLI I restarted splunk and all these users that were supposed to have access were imported. In addition I was able to add new users to the AD group and use the GUI "Reload Authentication Configuration" button on under "Manager » Access controls » Authentication method".

I know this isn't a GUI solution, but it did solve me problem. I'm using Splunk 5.5 on Linux.

neiljpeterson
Communicator

This is the response that helped me solve this issue. I had to add a user that had already signed in to Splunk, to the AD group for the UI to display/recognize the group, so that I could map it.

JoeIII
Path Finder

I wonder if your nestedGroups setting is the source of your "too many lines" issue.

Also, while your environment may differ, a few of the identifying attributes are different from what I normally use when setting up AD auth for systems like Splunk.

here are the attributes I use in my splunk environment:

groupMappingAttribute = distinguishedname
groupMemberAttribute = member
groupNameAttribute = name
realNameAttribute = displayname
userNameAttribute = samaccountname

as for the filters, Microsoft has a very in-depth article on LDAP filters and examples specific to AD that I believe anyone configuring AD auth should have bookmarked:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters...

0 Karma

s72ucor
Explorer

I have the same issue with or without nested groups enabled.

0 Karma

krugger
Communicator

You can configure this with the web GUI at:

Manager > Access controls > Authentication method

Turn LDAP on

Click on Configure Splunk to use LDAP and map groups

Define a new LDAP strategy. In the strategy you can define search filters to have multiple groups.

After that you can map the groups to user roles.

0 Karma

Vtesse
Engager

Indeed you can.
That's where I've configured this entry.
The problem is, when I enter the OU's in groupBaseDN and userBaseDN, I get the "too many lines returned" error from the LDAP plugin. Even if I
A) point them at an OU with only 2 entries
B) Increase the sizelimit to something silly.

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...