Security

After configuring LDAP authentication with Active Directory in Splunk, why are LDAP user details for some users deleted after a login attempt?

nivedita_viswan
Path Finder

I have configured LDAP authentication with Active Directory on Splunk. We are still waiting on the group to role mapping, so currently we have mapped individual users to specific roles.

However, 1 of the 5 users we have currently mapped is unable to login. When I add his username to the authentication.conf file, I see his username, Full name and email address under Settings->Access controls->Users

When he tries to log in, he gets "Invalid username or password" and immediately after that, his details are no longer visible under Settings->Access controls->Users

splunkd.log only shows

user=xxx action=login status=failure reason=user-initiated

The password can't be invalid since he logs into his local machine with the same credentials. The other 4 users are able to log in successfully.
Also, since I can see his 'Full Name' under Settings->Access controls->Users , I don't think its a problem with his display name, either.

1 Solution

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

View solution in original post

mendesjo
Path Finder

You just saved me, made some permission changes , roles etc... and if you have the LDAP in uppercase letters it fails.

0 Karma

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...