Security

After configuring LDAP authentication with Active Directory in Splunk, why are LDAP user details for some users deleted after a login attempt?

nivedita_viswan
Path Finder

I have configured LDAP authentication with Active Directory on Splunk. We are still waiting on the group to role mapping, so currently we have mapped individual users to specific roles.

However, 1 of the 5 users we have currently mapped is unable to login. When I add his username to the authentication.conf file, I see his username, Full name and email address under Settings->Access controls->Users

When he tries to log in, he gets "Invalid username or password" and immediately after that, his details are no longer visible under Settings->Access controls->Users

splunkd.log only shows

user=xxx action=login status=failure reason=user-initiated

The password can't be invalid since he logs into his local machine with the same credentials. The other 4 users are able to log in successfully.
Also, since I can see his 'Full Name' under Settings->Access controls->Users , I don't think its a problem with his display name, either.

1 Solution

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

View solution in original post

mendesjo
Path Finder

You just saved me, made some permission changes , roles etc... and if you have the LDAP in uppercase letters it fails.

0 Karma

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...