Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Active Directory nested groups

echalex
Builder
‎10-08-2012 01:30 AM

Hi,

I understand that Splunk 4.3.3 should support nested groups in Active Directory, according to this document. However, I'm unable to get it working. I have set nestedGroups=1. I've also set groupMemberAttribute=member, (and tried without it as well), but it still won't work.

Currently, I'm only testing this with one nested group.

CN=it-infrastructure,OU=SPLUNK,OU=Application Groups,OU=Groups,DC=company,DC=domain,DC=tld

which has a member:

CN=infrastructure-internal,OU=Organisational Groups,OU=Managed Groups,OU=Groups,DC=company,DC=domain,DC=tld

# authentication.conf:
[AD]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = cn=svc-splunk-01,ou=Splunk,ou=Service Accounts,ou=Other Accounts,dc=company,dc=domain,dc=tld
bindDNpassword = snafu
charset = utf8
dynamicMemberAttribute = member
groupBaseDN = ou=SPLUNK,ou=Application Groups,ou=Groups,dc=company,dc=domain,dc=tld
groupBaseFilter = (objectclass=*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.company.domain.tld
nestedGroups = 1
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = ou=Departments,dc=company,dc=domain,dc=tld
userBaseFilter = (objectclass=*)
userNameAttribute = samaccountname

Now looking at the configuration, I'm wondering if the problem may be the groupBaseDN setting. This matches the parent group, but not the nested group. Is this the problem? If I widen it to just ou=Groups,dc=..., I get 1000+ groups, which is quite a lot, but I'm not sure if it's a problem. So, does the nested group also have to match the groupBaseDN?

Reply
1 Solution
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎10-08-2012 06:59 AM

Widen the groupBaseDN - it shouldn't be a problem. If you're worried, add to the groupBaseFilter to just look at those in the right OUs.

View solution in original post

Reply
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎10-08-2012 06:59 AM

Widen the groupBaseDN - it shouldn't be a problem. If you're worried, add to the groupBaseFilter to just look at those in the right OUs.

Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎10-08-2012 07:54 AM

Glad to hear it worked out!

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎10-08-2012 07:43 AM

Thanks!
Yes, I was worried about the amount of groups listed and I tried out several combinations of values for groupBaseFilter and dynamicGroupFilter. Either I couldn't get it to authenticate or the list of groups.

Thanks to your suggestion, I set both to the same value and it does work. Authentication works and the list is nice and small, so thank you very much!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...