Security

Active directory access for Splunk

uagraw01
Builder

 

uagraw01_1-1708689456486.png

Hello Splunkers!!

I want us to configure Active Directory in Splunk with LDAP. My Splunk server and domain controller are two different servers on the same network. Please guide me on what steps I need to follow.

1. Shall I open Inbound or outbound  port  389 on both the servers ?

2. How to create user and user group in Active directory.

3. After the mapping of LDAP, does it impact the current existing Splunk users ?

4. Please provide me  document if anybody performed POC on this already.

 

 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01,

you should install in an Heavy Forwarder the SA-LDAPSearch app (https://splunkbase.splunk.com/app/1151) and follow the instructions at https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/AbouttheSplunkSupportingAdd-onforActi...

In apps.splunk.com there is another app to do the same thing but I never used it.

Ciao.

Giuseppe

uagraw01
Builder

@gcusello Thank you for the response. I have few more ask on this.

1. Can we use LDAP functionality which is present in Splunk setting itself rather any Ldap app or add-on ?

2. We have standalone Splunk server which is based on windows virtual machine.

So its possible a direction connection of Domain controller with Splunk server with splunk LDAP setting ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What do you want to do with LDAP in Splunk?  Typical uses are to authenticate users and to query AD (for users, groups, etc.).

Splunk's LDAP functionality is for authenticating Splunk users.  The LDAP add-on allows for querying AD as part of a Splunk search.

Yes, a standalone Splunk server on a Windows VM can connect to a Domain Controller using LDAP, but not under the Free license.

---
If this reply helps you, Karma would be appreciated.

uagraw01
Builder

@richgalloway We have a licenced Splunk standalone server. 

My Customer want us to configure Active directory to authenticate all the Splunk users. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You do not need an app to use LDAP for authentication.  Go to Settings->Authentication methods and select "LDAP".  Then click the "Configure Splunk to use LDAP" link.  Click the green "New LDAP" button and fill in the form.  See https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureLDAPwithSplunkWeb for details.

After that, you will need to map AD groups to Splunk roles.  The same doc tells how to do that.

---
If this reply helps you, Karma would be appreciated.

uagraw01
Builder

@richgalloway Thanks for your suggestion.

Does the creation or mapping of the existing users with LDAP will impact on existing reports , dashboards, macros etc created by different users ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the users' LDAP names do not match their Splunk account names then all KOs will have to be reassigned to the LDAP account names.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01,

answering to your questions:

1)

no, the LDAP functionalities are for user authentication, not to extract LDAP data.

To extract LDAP data you need the add-On

2)

use your stand alone server to install the app.

and if it is possible pass to Linux: Windows is useful for test environments, not for production environments!

Ciao.

Giuseppe

uagraw01
Builder

@gcusello We only want to stablish the authentication method. We dont want to monitor any LDAP events.

We only use windows Splunk server even for production.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01,

if you want to use the LDAP authentication, you have to

  • create a group on AD for each role you need in Splunk inserting the users of each one,
  • configure your Splunk in [Settings > Authentication Method > Configure Splunk to use LDAP > New LDAP] inserting the requested information,
  • map the groups on your Splunk roles.

for more details see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/ConfigureLDAPwithSplunkWeb

Ciao.

Giuseppe

uagraw01
Builder

@gcusello I will surely try this solution.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...