Security
Highlighted

Can Splunk be configured to add a single active directory user instead of a group?

Communicator

Can Splunk be configured to pull a single AD user instead of a group? I have tried a number of user base filters with no success. My group filters work without issue.

I have tried to use the following for the user base filter options:

• (&(objectCategory=person)(objectClass=user)(sAMAccountName=someone))
• (&(objectClass=user)(sAMAccountName=someone))
• (&(objectCategory=person)(objectClass=user)(cn=someone))
• (&(objectClass=user)(cn=someone))

I am getting the following errors in splunkd.log.
• ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Contributor

It is possible if you add constraint in the User Settings:

User Base Filter
(&(objectClass=user)(cn=someone))

And check in the Group Settings:

Static group search filter should have constraint for the group where someone exists.
e.g.
(&(objectClass=group)(cn=Splunk-Someones-Group))

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Communicator

I tried that. Still doesn't work.

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Contributor

Can you post User Settings & Group Settings?

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Communicator

Sure.

User Base DN:
OU=Contractors,OU=Non-main Users,OU=mainusers,DC=domain,DC=org
User Base Filter:
(&(objectClass=user)(cn=someone))
Group base DN:
OU=Contractors,OU=Non-main Users,OU=main
users,DC=domain,DC=org
Group Filter:
(&(objectclass=group)(cn=Contractors)

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Contributor

Can you try adding following:

User name attribute >> samaccountname
Real name attribute >> cn
Group mapping attribute >>dn


Group name attribute >> cn
Static member attribute >> member

P.S. I tried in my system and able to pull only one user. I had these extra parameters set.

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Communicator

Those are all already set. I've tested the syntax against LDAP and the work to pull the single user. No idea why it won't work for me within Splunk.

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Communicator

Do you know where I can set the ScopedLDAPConnection to DEBUG? I can't find it in the log.cfg.

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Contributor

settings >> System settings >> System Logging

0 Karma
Highlighted

Re: Can Splunk be configured to add a single active directory user instead of a group?

Communicator

Thanks. So here is what i am getting.

02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractorperson" Adding attribute="cn" with value="Person"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor
person" Adding attribute="sAMAccountName" with value="xxxxx"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractorperson" Adding attribute="mail" with value="person@domain.org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractor
person" Attempting to read entry at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org"
02-06-2015 15:52:47.923 -0500 DEBUG ScopedLDAPConnection - strategy="contractorperson" Attempting to search subtree at DN="OU=Contractors,OU=Non-Main Users,OU=Main,DC=domain,DC=org" using filter=""
02-06-2015 15:52:47.925 -0500 DEBUG ScopedLDAPConnection - strategy="contractor
person" Search duration="1992 microseconds"
ScopedLDAPConnection - strategy="contractor_person" LDAP Server returned no entries in search for DN="OU=Contractors,OU=Non-domain Users,OU=Main,DC=domain,DC=org" filter="(&(&(objectclass=group)(cn=Contractors))(cn=)(member=))".
02-06-2015 15:52:47.928 -0500 ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

0 Karma