Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can Splunk be configured to add a single active directory user instead of a group?

scc00
Contributor
‎02-06-2015 11:28 AM

Can Splunk be configured to pull a single AD user instead of a group? I have tried a number of user base filters with no success. My group filters work without issue.

I have tried to use the following for the user base filter options:

• (&(objectCategory=person)(objectClass=user)(sAMAccountName=someone))
• (&(objectClass=user)(sAMAccountName=someone))
• (&(objectCategory=person)(objectClass=user)(cn=someone))
• (&(objectClass=user)(cn=someone))

I am getting the following errors in splunkd.log.
• ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scc00
Contributor
‎02-13-2015 10:06 AM

This is what worked for me in the end. Setting the group base and user base filters and DN to the same value, the user base values. I also modified the groupMemberAttribute to mimic the userMember Attribute.
Settings to add a single user:

[Team_Contractors]
host = ldap.domain.org
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = domain\XXXXXXX
bindDNpassword = XXXXXXXXXXXXXX
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
groupBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20

View solution in original post

Reply
Solved! Jump to solution
Solution

scc00
Contributor
‎02-13-2015 10:06 AM

This is what worked for me in the end. Setting the group base and user base filters and DN to the same value, the user base values. I also modified the groupMemberAttribute to mimic the userMember Attribute.
Settings to add a single user:

[Team_Contractors]
host = ldap.domain.org
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = domain\XXXXXXX
bindDNpassword = XXXXXXXXXXXXXX
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
groupBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain_Main,DC=domain,DC=org
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=XXXXX)(sAMAccountName=XXXXX)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20

Reply
Solved! Jump to solution

scc00
Contributor
‎03-20-2015 08:18 AM

I ended up using the following syntax to get it to work.

Settings to add a single user:

[Strategy]
host = *****
port = 389
SSLEnabled = 0
anonymous_referrals = 1
bindDN = ******
bindDNpassword =********
charset = utf8
emailAttribute = mail
userBaseDN = OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com
userBaseFilter = (&(objectclass=user)(|(sAMAccountName=***)(sAMAccountName=)))
groupBaseDN =OU=Contractors,OU=Non-domain Users,OU=domain,DC=domain,DC=com
groupBaseFilter = (&(objectclass=user)(|(sAMAccountName=)(sAMAccountName=***)))
nestedGroups = 0
userNameAttribute = samaccountname
realNameAttribute = cn
groupMappingAttribute = cn
groupMemberAttribute = samaccountname
groupNameAttribute = cn
timelimit = 10
network_timeout = 20

0 Karma
Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎02-06-2015 11:38 AM

It is possible if you add constraint in the User Settings:

User Base Filter
(&(objectClass=user)(cn=someone))

And check in the Group Settings:

Static group search filter should have constraint for the group where someone exists.
e.g.
(&(objectClass=group)(cn=Splunk-Someones-Group))

0 Karma
Reply
Solved! Jump to solution

scc00
Contributor
‎02-06-2015 11:43 AM

I tried that. Still doesn't work.

0 Karma
Reply
Solved! Jump to solution

scc00
Contributor
‎02-06-2015 11:47 AM

Sure.

User Base DN:
OU=Contractors,OU=Non-main Users,OU=main_users,DC=domain,DC=org
User Base Filter:
(&(objectClass=user)(cn=someone))
Group base DN:
OU=Contractors,OU=Non-main Users,OU=main_users,DC=domain,DC=org
Group Filter:
(&(objectclass=group)(cn=Contractors)

0 Karma
Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎02-06-2015 11:52 AM

Can you try adding following:

User name attribute >> samaccountname
Real name attribute >> cn
Group mapping attribute >>dn

Group name attribute >> cn
Static member attribute >> member

P.S. I tried in my system and able to pull only one user. I had these extra parameters set.

0 Karma
Reply
Solved! Jump to solution

scc00
Contributor
‎02-06-2015 12:00 PM

Those are all already set. I've tested the syntax against LDAP and the work to pull the single user. No idea why it won't work for me within Splunk.

0 Karma
Reply
Solved! Jump to solution

scc00
Contributor
‎02-06-2015 12:28 PM

Do you know where I can set the ScopedLDAPConnection to DEBUG? I can't find it in the log.cfg.

0 Karma
Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎02-06-2015 12:36 PM

settings >> System settings >> System Logging

0 Karma
Reply
Solved! Jump to solution

scc00
Contributor
‎02-06-2015 01:08 PM

Thanks. So here is what i am getting.

02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="cn" with value="Person"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="sAMAccountName" with value="xxxxx"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Adding attribute="mail" with value="person@domain.org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Attempting to read entry at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Attempting to search subtree at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org" using filter=""
02-06-2015 15:52:47.925 -0500 DEBUG ScopedLDAPConnection - strategy="contractor_person" Search duration="1992 microseconds"
ScopedLDAPConnection - strategy="contractor_person" LDAP Server returned no entries in search for DN="OU=Contractors,OU=Non-domain Users,OU=Main,DC=domain,DC=org" filter="(&(&(objectclass=group)(cn=Contractors))(cn=)(member=))".
02-06-2015 15:52:47.928 -0500 ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

0 Karma
Reply
Solved! Jump to solution

scc00
Contributor
‎02-06-2015 01:08 PM

I'm wondering if it's timing out. It found the user but the filters aren't working. even though they've been tested.

0 Karma
Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎02-06-2015 11:44 AM

Can you post User Settings & Group Settings?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top