Security
Highlighted

How to get list of users removed from LDAP but are still available in Splunk user directories

Communicator

Hi Team,

In my implementation splunk is integrated with LDAP authentication, users who left the organizations will be removed from the LDAP group as part of exit process form is submitted to LDAP group.

question is how do we get to know of that exited user in splunk so that we can do the clean up on splunk end(backing up/re-assigning/deleting his users directory) , especially those users who did not have any splunk artifacts (i.e. they were just looking up dashboards etc hence will not be listed as part of orphaned searches or objects).

Looking forward to you inputs.

Thank you!

0 Karma
Highlighted

Re: How to get list of users removed from LDAP but are still available in Splunk user directories

SplunkTrust
SplunkTrust

Hi newbie2tech,

This is not a Splunk problem, but more an process/organisational problem. Easiest fix: get the form that is submitted to the LDAP group also submitted to the Splunk group - done.

Of course there are ways to use Splunk queries and compare them to the AD users and such. But this will be more of a work around rather than fixing the cause.

Might not be the expected answer, but at least it will give you something to start/think about.

cheers, MuS

View solution in original post

0 Karma
Highlighted

Re: How to get list of users removed from LDAP but are still available in Splunk user directories

Communicator

Thanks MuS for the quick response, yes i agree it isn't splunk problem and more of process thing. I was hoping to get details on those splunk queries and compare them with AD users.

I noticed your response in other threads to use below rest api to get the list of users active in LDAP and put them in summary index and run queries against them to find any exited users...would you recommend the same in my case.

| rest /services/authentication/httpauth-tokens splunk_server=local

Please let me know when user is removed in LDAP will we have any sort of error in any of the splunk logs that i can generate a report on Or it is just above method?Also when the user is removed in LDAP in Splunk GUI automatically the exited user will not be listed right?

0 Karma
Highlighted

Re: How to get list of users removed from LDAP but are still available in Splunk user directories

SplunkTrust
SplunkTrust

You will not get any error messages except any possible orphan knowledge objects.
The user will not be listed in Splunk after being removed from AD, once authentication was refreshed otherwise the user is still cached in Splunk.
the REST call will give you the current logged on users, so to get the difference over time you will have to use the summary events and do something like this:

 index=summary_ldap_events 
 | search NOT [ | ldapsearch .... ]

this will query the AD and compares it with the summary events, showing the users that are NOT in AD anymore.

cheers, MuS

0 Karma
Highlighted

Re: How to get list of users removed from LDAP but are still available in Splunk user directories

Communicator

Thank you MuS for further details, this helps me better understand now. However i have below 3 questions per your response.

Do we not have a way using REST api call to get all the splunk users in LDAP(who are not removed) instead of who are currently logged in? Because good number of users might be logging in once a week or few times a month, how do we accomodate them.

Also if we were to go with api call that gives the current logged user, the scheduled search running this api call , what is good frequency to run this search, seems like multiple times a day(hourly once atleast?)

Also what would be the time range that we need to choose for running the search query that you gave in above comment? ( index=summaryldapevents | search NOT [ | ldapsearch .... ]) ...i would think it would be whatever the time range which we think all the users might have logged in, is it?

Once user is removed in LDAP, do we need to accomodate explicitly authentication refresh on splunk end ? is it one of the config setting as part of LDAP auth setup or it is taken care out of the box.

0 Karma