I need to figure out what LDAP values I should be using to make auth work.
If you are comfortable with the command line you can run the command ldifede. The ldifde command is the windows equivalent of ldapsearch and should allow you to get an ldif entry for yourself and a group. With those two entries we should be able to come up with authentication.conf that will allow Splunk to authenticate users.
If you are more comfortable with a GUI The Sysinternals team offers a nice utility called Active Directory Explorer. This gives you tree view of your Active Directory/LDAP structure similar to Windows Explorer.
Both "LDP" and "ADSIEDIT.MSC" are built in utilities that allow you to have a GUI view of Active Directory. Run them from "Start--> Run" in Windows on your AD Server
The values that you will need to map are:
BindDN: This will be the full Distinguised Name of the user that Splunk is going to connect to the AD server as
UserBaseDN: Look at the Distinguished name for the user that you got from ldifde and take everything after cn=foo
GroupBaseDN: Look at the Distinguished name for the group that you got from ldifde and take everything after cn=foo
Real name attribute: Look for the key that is associated with the full name of the user (likely displayName)
Group name attribute: Look for the key that is associated with the full name of the group (likely cn)
Group member attribute: Its usually memberOf
or member
, depending on whether the memberships are listed in the group entry or the user entry
You may also want to check out this video from the Splunk Ninja
There are good examples for using ldif and ldapsearch on the splunk documentation. http://docs.splunk.com/Documentation/Splunk/5.0/Security/SetupuserauthenticationwithLDAP
Another great (freeware) LDAP browser is Apache Directory Studio. You can download builds for OSX, Linux and Windows.
There are good examples for using ldif and ldapsearch on the splunk documentation. http://docs.splunk.com/Documentation/Splunk/5.0/Security/SetupuserauthenticationwithLDAP
If you are comfortable with the command line you can run the command ldifede. The ldifde command is the windows equivalent of ldapsearch and should allow you to get an ldif entry for yourself and a group. With those two entries we should be able to come up with authentication.conf that will allow Splunk to authenticate users.
If you are more comfortable with a GUI The Sysinternals team offers a nice utility called Active Directory Explorer. This gives you tree view of your Active Directory/LDAP structure similar to Windows Explorer.
Both "LDP" and "ADSIEDIT.MSC" are built in utilities that allow you to have a GUI view of Active Directory. Run them from "Start--> Run" in Windows on your AD Server
The values that you will need to map are:
BindDN: This will be the full Distinguised Name of the user that Splunk is going to connect to the AD server as
UserBaseDN: Look at the Distinguished name for the user that you got from ldifde and take everything after cn=foo
GroupBaseDN: Look at the Distinguished name for the group that you got from ldifde and take everything after cn=foo
Real name attribute: Look for the key that is associated with the full name of the user (likely displayName)
Group name attribute: Look for the key that is associated with the full name of the group (likely cn)
Group member attribute: Its usually memberOf
or member
, depending on whether the memberships are listed in the group entry or the user entry
You may also want to check out this video from the Splunk Ninja