Security

After mapping groups to roles configuring Splunk to allow LDAP authentication, why am I unable to log in with any of those users?

jclehmuth
Path Finder

I'm trying to configure Splunk to allow LDAP authentication. I select "Configure Splunk to use LDAP and map groups" and then complete the LDAP strategy. I then select Map groups and map roles to groups. I am currently using one group as a test that has two users in it. I can see all the groups and my target group. I select my target group and give them a role. For testing purposes, I gave them the power role. I saved, backed out, and checked the user section, but they were not there. I reloaded authentication configuration and they were still not there. When I attempt to login with one of those users I receive the following errors:

-0400 ERROR UserManagerPro - LDAP Login Failed, could not find a valid user="xxx" on any configured servers
-0400 ERROR AuthenticationManagerLDAP - Could not find user ="xxx" with strategy="LDAP"

Also watching TCPdump on the server I can see the traffic going to the LDAP server while attempting to log in.

In short, I mapped groups to roles, but I am unable to login with any of those users.

0 Karma
1 Solution

jclehmuth
Path Finder

The OU for the user base was changed to Domain Admins, and now it works.

View solution in original post

0 Karma

jclehmuth
Path Finder

The OU for the user base was changed to Domain Admins, and now it works.

0 Karma

stanwin
Contributor

Have you checked that the userBaseFilter & groupBaseFilter aren't causing any issues in fetching users? Couldn't see it in your conf file .

I had this same issue & although they appear in Mapped group list , they are not visible under the Users list..

0 Karma

maciep
Champion

Do you have the userBaseDN configured? Are your users within that base DN?

0 Karma

wpreston
Motivator

Have you checked the attribute editor on your active directory objects to make sure that all the attributes you defined in your Splunk configuration files match what is in AD?

0 Karma

jclehmuth
Path Finder

-0400 DEBUG ScopedLDAPConnection - strategy="ldaphost1" LDAP Server returned no entries in search for DN="CN=SPLUNK_IA_ADM,OU=Enterprise Security Groups,DC=xxx,DC=xxx,DC=xxxl" filter="(&(samaccountname=xxx)(cn=*))".

-0400 DEBUG ScopedLDAPConnection - strategy="ldaphost1" LDAP Server returned no entries in search for DN="CN=SPLUNK_IA_ADM,OU=Enterprise Security Groups,DC=xxx,DC=xxx,DC=xxx" filter="(&(cn=cn=xxx,ou=domain admins,dc=xxx,dc=xxx,dc=xxx)(samaccountname=*))".

-0400 DEBUG UserManagerPro - LoadLDAPUsersThread: strategy="ldaphost1" Attempting to get user="cn=xxx,ou=domain admins,dc=xxx,dc=xxx,dc=xxx" from LDAP to map to roles="admin"

0 Karma

maciep
Champion

well at least you found something but I'm not sure how to interpret those logs in a helpful way. If that's the actual dn for your account, I don't know why splunk and/or your bind account can't find it.

If you have support, it may be worth opening a ticket at this point.

0 Karma

jclehmuth
Path Finder

Opened a ticket with support, will post the solution if we find one.

0 Karma

jclehmuth
Path Finder

[authentication]
authType = LDAP
authSettings = ldaphost1

[roleMap_ldaphost1]
admin = SPLUNK_IA_ADM

[ldaphost1]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=ldap sa\, splunk,OU=Enterprise Service Accounts,DC=xxx,DC=xxx,DC=xxx
bindDNpassword = $1$s0IT6ghwgSvOB9ADovClFg==
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Enterprise Security Groups,DC=xxx,DC=xxx,DC=xxx
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = x.x.x.x
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 5000
timelimit = 20
userBaseDN = OU=Enterprise Security Groups,DC=xxx,DC=xxx,DC=xxx
userNameAttribute = samaccountname

0 Karma

maciep
Champion

So you're trying to map to the admin role now then (not power), right? Sorry nothing is standing out to me.

I thought maybe your users were in a different OU than your groups, so maybe Splunk couldn't find them. But if they're all in there, that's not the problem.

Maybe you should turn on debug logging for the LDAP stuff? It might be a lot to sift through, but could help you identify where the problem is (Server Settings -> Server Logging, search for LDAP and change to debug)

0 Karma

jclehmuth
Path Finder

Thanks, I'll try that and see if I can find anything.

0 Karma

jclehmuth
Path Finder

I adjust the timelimit and network_timeout, they are no longer both 20... but everything else is the same.

0 Karma

jclehmuth
Path Finder

[role_admin]
schedule_rtsearch = disabled
srchMaxTime = 8640000

[role_power]
srchIndexesDefault = *
srchMaxTime = 8640000

[role_atlas user]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
rtSrchJobsQuota = 1
srchMaxTime = 0
srchTimeWin = 360

0 Karma

jclehmuth
Path Finder

Yes and yes.

I can see the users when I select the group to map a role to, but I can't see them under the users and they are not able to sign in.

0 Karma

maciep
Champion

Ok. Would it be possible to post your authentication and authorize conf files here? Getting rid of any sensitive info of course?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...