Hi.
I've managed to get my Splunk (5.0.latest) referring to my Active Directory Domain Controllers to allow a number of user logins, however at this time, it is only working if I explicitly specify the User and group DN's on the LDAP config page.
What I'd love to do is have the ldap Plugins simply look at the User OU and Group OU and allow me to then pick which groups I want to map.
I've tried fiddling with the silzelimit and a few other functions, and even pointing at an OU with only 1 user / group, but no matter what is tried, I always get the Query Size Limit Exceeded error.
Any ideas how I can resolve this issue?
Here is an example of a working section of the Authentication.conf:
[Admin Users]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=Splunk ldap,OU=Service Accounts,OU=STUFF,DC=DOMAIN,DC=ltd
bindDNpassword = blah
charset = utf8
groupBaseDN = CN=Splunk Sysadmins,OU=User Groups,OU=STUFF,DC=DOMAIN,DC=ltd
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = 10.100.100.11
nestedGroups = 1
network_timeout = 20
port = 3269
realNameAttribute = name
sizelimit = 10000
timelimit = 15
userBaseDN = CN=ME, CN=Users,DC=Vtesse,DC=ltd
userNameAttribute = samaccountname
TIA
I've noticed that if I create an AD group for specific access (i.e. users) and then add users to that group I can get this to work; however, I needed to define the group by editing "
[roleMap_LDAPStrategyName]
user = LDAPGroupName
Once I created the new AD config and defined the users via the CLI I restarted splunk and all these users that were supposed to have access were imported. In addition I was able to add new users to the AD group and use the GUI "Reload Authentication Configuration" button on under "Manager » Access controls » Authentication method".
I know this isn't a GUI solution, but it did solve me problem. I'm using Splunk 5.5 on Linux.
This is the response that helped me solve this issue. I had to add a user that had already signed in to Splunk, to the AD group for the UI to display/recognize the group, so that I could map it.
I wonder if your nestedGroups setting is the source of your "too many lines" issue.
Also, while your environment may differ, a few of the identifying attributes are different from what I normally use when setting up AD auth for systems like Splunk.
here are the attributes I use in my splunk environment:
groupMappingAttribute = distinguishedname
groupMemberAttribute = member
groupNameAttribute = name
realNameAttribute = displayname
userNameAttribute = samaccountname
as for the filters, Microsoft has a very in-depth article on LDAP filters and examples specific to AD that I believe anyone configuring AD auth should have bookmarked:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters...
I have the same issue with or without nested groups enabled.
You can configure this with the web GUI at:
Manager > Access controls > Authentication method
Turn LDAP on
Click on Configure Splunk to use LDAP and map groups
Define a new LDAP strategy. In the strategy you can define search filters to have multiple groups.
After that you can map the groups to user roles.
Indeed you can.
That's where I've configured this entry.
The problem is, when I enter the OU's in groupBaseDN and userBaseDN, I get the "too many lines returned" error from the LDAP plugin. Even if I
A) point them at an OU with only 2 entries
B) Increase the sizelimit to something silly.