Hello,
We are using Splunk with CAC / Smart Card authentication and want to add to our configuration the ability to map LDAP groups to roles within Splunk.
What we'd like to have happen:
* User logs in with CAC / Smart Card authentication with PIN.
* Splunk looks up the user in an LDAP directory to get their group memberships.
* Splunk maps group membership into a role like "user" or "admin" within the application.
CAC / Smart Card authentication means we've centralized our authentication. What we're looking for is to build on that to centralize authorization by using LDAP group membership to determine the correct permissions for each user.
How Splunk is currently configured:
* A web server like Apache is configured to require TLS client certificate authentication.
* The web server find's the user's ID (or equivalent field within the TLS client certificate data).
* The web server assigns that user ID to an HTTP header. e.g. `X-MY-REMOTE-USER-ID`
* The web server reverse proxies the connection to the Splunk web application server.
* The Splunk web application is configured, via `web.conf` , to use SSO with the `remoteUser` configuration setting to set the Splunk user based on the value of the HTTP header.
Is there a way to achieve the configuration we're looking for?
Here are our existing Splunk authentication configuration:
`$SPLUNK_HOME/etc/system/local/web.conf`
```
[settings]
SSOMode = strict
enableSplunkWebSSL = true
httpport = 8443
login_content = <div>REDACTED</div>
privKeyPath = /path/to/key.pem
remoteUser = X-MY-REMOTE-USER-ID
remoteUserMatchExact = 1
serverCert = /path/to/tls/cert.pem
tools.proxy.on = false
trustedIP = 127.0.0.1
updateCheckerBaseURL = 0
keepAliveIdleTimeout = 270
server.thread_pool = 100
tools.sessions.timeout = 15
```
`$SPLUNK_HOME/etc/system/local/authorization.conf`
```
# cat authentication.conf
[authentication]
authType = Splunk
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 60
expireUserAccounts = 1
forceWeakPasswordChange = 1
lockoutAttempts = 3
lockoutMins = 1440
lockoutThresholdMins = 15
lockoutUsers = 1
minPasswordDigit = 1
minPasswordLength = 15
minPasswordLowercase = 1
minPasswordSpecial = 1
minPasswordUppercase = 1
passwordHistoryCount = 5
verboseLoginFailMsg = 0
```
Here's ours.
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 60
expireUserAccounts = 1
forceWeakPasswordChange = 0
lockoutAttempts = 3
lockoutMins = 30
lockoutThresholdMins = 15
lockoutUsers = 1
minPasswordDigit = 1
minPasswordLength = 15
minPasswordLowercase = 1
minPasswordSpecial = 1
minPasswordUppercase = 1
passwordHistoryCount = 5
verboseLoginFailMsg = 1
[LDAP1]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=SPLUNK.SVC,OU=SPLUNK,OU=Service Accounts,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX
bindDNpassword = mypassword
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=SPLUNK,OU=Groups,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydc.com
nestedGroups = 1
network_timeout = 29
pagelimit = -1
port = 3269
realNameAttribute = cn
sizelimit = 100000
timelimit = 28
userBaseDN = DC=XXX,DC=XXX,DC=XXX,DC=XXX;DC=XXX1,DC=XXX,DC=XXX,DC=XXX;DC=XXX2,DC=XXX,DC=XXX,DC=XXX
userNameAttribute = userprincipalname
[roleMap_LDAP1]
admin = Splunk Admins
user = DL SPLUNK Share - Read;Splunk Users
I have multiple userBaseDNs because I pull from different AD trusts. If you're not doing that then you don't need to use port 3269 fyi. Port 636 works just fine for me too.
What attribute in AD stores your Principal Name for your CAC? If you open up the authentication certificate on your card it should show under the Subject Alternative Name. Our AD environment has it as the userprincipalname.
The Proxy stanzas I added earlier extract that Principal Name from the certificate presented and then pass it along to be authenticated.
@jramnanitandem , Are the roles you have mapped showing up for you under the Splunk Web UI -> Authentication Methods -> LDAP Settings -> Map Groups ?
Another question, did you make any modifications to /opt/splunk/etc/openldap/ldap.conf ? Doubt this would cause an issue but it would be nice to know.
I realize this questions is several months old, but is there a specific log file that can be looked through to see what information is being passed to Splunk when its attempting to authenticate the token? I have a similar ldap configuration, I get no errors when selecting the certificate on the token, but then the browser redirects to the Splunk manual user name and password page. No errors are given, so I'm going on the assumption the details I'm providing to Splunk from the token's certificate are not being found in Active Directory.
Here's ours.
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 60
expireUserAccounts = 1
forceWeakPasswordChange = 0
lockoutAttempts = 3
lockoutMins = 30
lockoutThresholdMins = 15
lockoutUsers = 1
minPasswordDigit = 1
minPasswordLength = 15
minPasswordLowercase = 1
minPasswordSpecial = 1
minPasswordUppercase = 1
passwordHistoryCount = 5
verboseLoginFailMsg = 1
[LDAP1]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=SPLUNK.SVC,OU=SPLUNK,OU=Service Accounts,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX
bindDNpassword = mypassword
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = OU=SPLUNK,OU=Groups,OU=XXX,DC=XXX,DC=XXX,DC=XXX,DC=XXX
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = mydc.com
nestedGroups = 1
network_timeout = 29
pagelimit = -1
port = 3269
realNameAttribute = cn
sizelimit = 100000
timelimit = 28
userBaseDN = DC=XXX,DC=XXX,DC=XXX,DC=XXX;DC=XXX1,DC=XXX,DC=XXX,DC=XXX;DC=XXX2,DC=XXX,DC=XXX,DC=XXX
userNameAttribute = userprincipalname
[roleMap_LDAP1]
admin = Splunk Admins
user = DL SPLUNK Share - Read;Splunk Users
I have multiple userBaseDNs because I pull from different AD trusts. If you're not doing that then you don't need to use port 3269 fyi. Port 636 works just fine for me too.
What attribute in AD stores your Principal Name for your CAC? If you open up the authentication certificate on your card it should show under the Subject Alternative Name. Our AD environment has it as the userprincipalname.
The Proxy stanzas I added earlier extract that Principal Name from the certificate presented and then pass it along to be authenticated.
@jramnanitandem , Are the roles you have mapped showing up for you under the Splunk Web UI -> Authentication Methods -> LDAP Settings -> Map Groups ?
Another question, did you make any modifications to /opt/splunk/etc/openldap/ldap.conf ? Doubt this would cause an issue but it would be nice to know.
We configure everything has documented. I've gotten the cac prompt, pin prompt. Login with LDAP password but, no pass thru. Do I need to enable token authentication or is there something on the LDAP that allow CAC login?
Should I login with CAC without any prompting? We get prompted by the LDAP put the password in. When we type the password. We're login.
Porting over much of your settings into our authentication.conf file worked for us.
To answer the questions you had previously:
* We do not have to pull from multiple AD trusts in our configuration.
* What attribute in AD stores your Principal Name for your CAC? - we also use `userprincipalname`. We're using that value for "userNameAttribute" in authentication.conf.
* Are the roles you have mapped showing up for you under the Splunk Web UI -> Authentication Methods -> LDAP Settings -> Map Groups? - Thanks for this tip. This was useful in helping us troubleshoot whether Splunk was understanding our configuration and querying LDAP successfully.
Things that might have prevented our initial configuration from working:
* We may have used an incorrect userBaseDN for our environment. That would have resulted in failed user queries.
* Our "groupMemberAttribute" may have been wrong. I was used to the attribute being "uniqueMember" from previous experience with AD, but my memory may have been incorrect. I changed it to the value you provided, and it works.
* Splunk may not recursively search OU's when doing a group search. So we asked our Active Directory administrators to create two groups within the same OU and used that OU as our "groupBaseDN".
We changed those items and had a successful test of this configuration today. I've marked your response with your authentication.conf file as correct.
Thank you! 🙂
Glad to hear you were able to get it working... 🙂Thank you for marking the answer as correct as it will help others with the same question in the future.
Yes it's possible to do exactly what you're looking for. We utilize CAC authentication for our Splunk servers.
Is the Reverse Proxy set up on the same server you'll be logging into?
We have our web.conf set up like:
[settings]
httpport = 8000
SSOMode = permissive
remoteUser = cacuser
enableSplunkWebSSL = 1
trustedIP = 127.0.0.1
Our authentication.conf shows the LDAP settings for the DC that contains the users & groups we're pulling from. It also has the different roles in Splunk mapped to different ldap groups.
In our httpd conf file for the reverse proxy, we had to set the settings as:
<Proxy *>
RequestHeader set cacuser %{SSL_CLIENT_SAN_OTHER_msUPN_0}s
</Proxy>
Hope this works!
If you need further assistance I can share with you the full httpd conf file.
I know this thread is a few years old, but I hope you are still active. Splunk is not pulling the OID off of smartcards to handle the full login itself. So, we set up Apache and I made the remoteUser and RequestHeader configurations you described. When Splunk receives the header, nothing happens though. It logs an entry that ProxySSO is not configured. Have you seen this issue and know how to get past it to still use LDAP authentication in Splunk but passing the user name to from the Proxy via your described method?
Here are the setting that you can enable on the log.conf to get more detail logging.
$splunk_install_dir$/etc/log.conf
category.X509=DEBUG
category.UiAuth=DEBUG
Post the error message here or call support.
@Stefanie Thank you!
Here are the answers to your questions:
* Is the Reverse Proxy set up on the same server you'll be logging into?
Yes, our web server reverse proxy is running on the same server as the Splunk server.
On the bright side, our CAC authentication is currently working. We tried adding an LDAP strategy to `authentication.conf` but was unsuccessful at getting it to work the way we'd hoped.
Seeing an example of your "authentication.conf" might be helpful for me.
Here is an example of what we tried in "authentication.conf"
[authentication]
authType = LDAP
authSettings = ldap_strategy
[ldap_strategy]
host = active-directory.example.com
SSLEnabled = 1
port = 636
bindDN = CN=MYAPP.dev,OU=Service Accounts,DC=example,DC=com
bindDNpassword = REDACTED
groupBaseDN = DC=example,DC=com
groupMemberAttribute = uniqueMember
groupNameAttribute = cn
realNameAttribute = displayName
userBaseDN = CN=Users,DC=example,DC=com
userBaseFilter = (objectclass=organizationalPerson)
userNameAttribute = cn
[splunk_auth]
constantLoginTime = 0.000
enablePasswordHistory = 1
expireAlertDays = 15
expirePasswordDays = 60
expireUserAccounts = 1
forceWeakPasswordChange = 1
lockoutAttempts = 3
lockoutMins = 1440
lockoutThresholdMins = 15
lockoutUsers = 1
minPasswordDigit = 1
minPasswordLength = 15
minPasswordLowercase = 1
minPasswordSpecial = 1
minPasswordUppercase = 1
passwordHistoryCount = 5
verboseLoginFailMsg = 0
[roleMap_ldap_strategy]
# Map Splunk role name to LDAP group name
# SplunkRoleName = LDAPGroupName
admin = SplunkAdmins
user = BusinessUsers