I've been attempting to configure Splunk to use some very large groups (>1500 members) to allow all users in my business unit to login, instead of having to add smaller groups individually. When I try to use these groups and turn the logging level for AuthenticationManagerLDAP up to "Debug" I get the following error message.
09-24-2013 14:19:23.861 -0700 DEBUG AuthenticationManagerLDAP - Skipping dynamic group DN="CN=Org-BUName-Employees,OU=Automated,OU=Distribution Lists,OU=Groups,DC=corp,DC=company,DC=com" with no values for member attribute
Investigating with ldapsearch I found that this is not a dynamic group as Splunk claims. Because it's so large querying the group returns the first 1500 group members with the attribute 'member;range=0-1499' instead of 'member' as Splunk expects. With a group this large multiple requests need to be made to get all the members with the attribute you're requesting being, 'member;range=0-1499', 'member;range=1500-2999', etc.
If I change groupMemberAttribute to "member;range=0-1499" I get the first 1500 users from the large group, but the rest are missing and I get no users from the smaller groups. If it was possible to specify multiple groupMemberAttributes I could fix this issue, but according to http://docs.splunk.com/Documentation/Splunk/5.0.4/Admin/Authenticationconf this parameter only allows one value, not a list.
Update: While I still haven't come up with a solution I did come up with a work around that works in my case. We have mailing lists for both Organizations and Locations. So I setup the userBaseFilter to filter users who are members of the mailing lists for the organizations I want to allow to login to Splunk, and then in the roleMap section I used all the location mailing lists which are all under 1000 users each. Without the filter this would allow anyone to login, but with the organization filter those users won't be returned by AD.
You can try the sizelimit attribute, perhaps it's set to 1500 currently? You may want to up your timelimit and network_timeout depending on how long Splunk is waiting for the LDAP query.
sizelimit = integer
* OPTIONAL * Limits the amount of entries we request in LDAP search * IMPORTANT: The max entries returned is still subject to the maximum imposed by your LDAP server * Example: If you set this to 5000 and the server limits it to 1000, you'll still only get 1000 entries back * Defaults to 1000
does Anyone already have a real fix for this?
We now have this issue. We Can't put "member;range=0-1499" in the LDAP setting. It retuns an error that it can't find any users
I just tested this out, you can put "member;range=0-1499" in the LDAP settings, but not via GUI.
You have to make the change in authentication.conf, only then the setting is accepted by Splunk.
Trying to replicate the success you are having with the ranges and I am unable get AD to cooperate. Would you please give me the entries you are using in your conf to achieve the pointed LDAP strategy for 0-1499, etc?
Problem is fixed in Release 7.3.X (tested)
You need to edit the authentication.conf, add enableRangeRetrieval = 1 to your LDAP settings
enableRangeRetrieval = <boolean> * OPTIONAL * The maximum number of values that can be retrieved from one attribute in a single LDAP search request is determined by the LDAP server. If the number of users in a group exceeds the LDAP server limit, enabling this setting fetches all users by using the "range retrieval" mechanism. * Enables result sets for a given attribute that exceed the maximum number of values defined for the LDAP server. * If set to false, ldap range retrieval is off. * Default: false