Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user in splunkd.log ?

Hemnaath
Motivator
‎07-31-2018 06:00 AM

Hi Splunkers, I am seeing some 2023 event counts for the below mentioned error detail in splunkd.log in all the indexer instances, so can any one guide me how /where to start the investigation on fixing this issue. 

ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"

Splunk Version : 7.0.4

Tags (2)
0 Karma
Reply

splunkoptimus
Path Finder
‎08-11-2022 05:23 AM

Check if the user belongs to groups which have permissions to access Splunk.

0 Karma
Reply

Hemnaath
Motivator
‎08-06-2018 04:28 AM

Hi All, When troubleshooting this issue with the help of splunker from splunk.answers.com , I had narrow down the issue and fixed it.

In this case the indexer and search head instances the LDAP configuration are different, in indexer instance only Splunk_Admin ldap group was configured, where as in search head we had other LDAP groups configured due to this when ever any user mapped apart from splunk_admin groups performs search activities it was throwing an error in splunkd.log due to the configuration conflict.

Problem Detail:
ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="test01". Search filter="(&(uniquemember=uid=test01,ou=Internal,ou=Users,dc=xxx,dc=com)(cn=Splunk_Admin))" strategy="XXXX LDAP"

Solution: Configured all the LDAP group in the indexer instance same as search head instances.

0 Karma
Reply

bharathkumarnec
Contributor
‎08-27-2019 01:42 AM

We have a lot of indexers, we need to add this to all the indexers??/

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2018 11:14 AM

@Hemnaath If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jhall0007
Path Finder
‎08-17-2018 08:32 AM

Was this issue causing any impact that you could identify? I am seeing a similar issue but I do not want to give users access to my indexers.

0 Karma
Reply

Hemnaath
Motivator
‎08-17-2018 08:53 AM

No it did not cause any issues.

Reply

renjith_nair
Legend
‎07-31-2018 06:10 AM

Looks like a LDAP configuration issue,

See if this answer helps

https://answers.splunk.com/answers/5415/how-can-i-append-basedn-to-member-uid-mappings-when-using-ld...

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

Hemnaath
Motivator
‎07-31-2018 07:27 AM

hey renjith, thanks for your support on this, I am getting this error for only few users not all the users configured in the splunk via ldap. So as per Simon'S answer where/which location I should update the code, could you please guide me on that.

<code>groupMappingAttribute = uid
</code>
0 Karma
Reply

nikgoyal
New Member
‎10-24-2018 03:41 PM

Hemnaath are you able to resolve this issue. I have started facing this where in some users are unable to login. Not on consistent basis.

0 Karma
Reply

Hemnaath
Motivator
‎10-24-2018 09:47 PM

Hi Nikgoyal, Yes we were able to resolve this issue, by configuring all the LDAP group in the indexer instance same as search head instances.

0 Karma
Reply

Hemnaath
Motivator
‎08-01-2018 03:07 AM

hey can i get any help on this ...

0 Karma
Reply

sudosplunk
Motivator
‎08-01-2018 04:44 AM

Hello, I had the same problem with 6.5.1, 6.5.2 and 6.5.3 (occasionally).
I noticed it only happens when we are running Real-time searches.

0 Karma
Reply

Hemnaath
Motivator
‎08-01-2018 05:40 AM

hey we are using 7.0.4 splunk version, but how did you fix the issue ? If you can share the knowledge it would be helpful as I could see some 2000 errors in splunkd.log related to this.

0 Karma
Reply

renjith_nair
Legend
‎08-02-2018 07:58 AM

https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

sudosplunk
Motivator
‎08-01-2018 06:18 AM

I am not sure if this behavior is still seen in 7.0.4. Please check if "real-time" searches are actually the culprits? Go to "Job Manager" page (Activity -> Jobs) to see if there are any real-time searches running. Kill the search to see if errors stopped.

0 Karma
Reply

Hemnaath
Motivator
‎08-02-2018 04:19 AM

Hi Nittala, I have seen some Jobs being executed by some users and those user details are getting popped in the splunkd.log as an Error, to validated I had followed above direction as mentioned on your comment and found those user Jobs where either completed or running stage in Activity-Jobs. But when checked with user on the same found that he did not execute any real-time search and he had checking data related past 7 days. So what will be the next step to this issue.

0 Karma
Reply

sudosplunk
Motivator
‎08-02-2018 11:57 AM

I would suggest opening a support ticket with splunk. They can assist you better after analyzing diag file.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top