Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why one user within a LDAP Group cannot login to Splunk, but other users are fine?

daniel_splunk
Splunk Employee
Splunk Employee
‎10-30-2014 07:28 PM

I've 5 LDAP users defined in a LDAP group and 4 of them login to splunk successfully. Only one of them got problem.

From the log, I got the following.

08-04-2014 13:22:47.861 +1000 ERROR AuthenticationManagerLDAP - Could not find user="splunk_network_test" with strategy="AD"

08-04-2014 13:22:47.861 +1000 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="splunk_network_test" on any configured servers

When I run ldapsearch, user details returned successfully. I use the same bind user/password as splunk does.

What is the next step to troubleshooting this?

Reply
1 Solution
Solved! Jump to solution
Solution

daniel_splunk
Splunk Employee
Splunk Employee
‎10-30-2014 07:39 PM

Here are the steps to check what exact search splunk is using when connecting to AD.

Enable the following debug

ScopedLDAPConnection = DEBUG

AuthenticationManagerLDAP = DEBUG

From the splunkd.log, you will see record like this.

10-31-2014 10:33:13.785 +0800 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="splunk_network_test" from strategy="ldap_group"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Initializing with LDAPURL="ldap://10.10.10.10:389"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting bind as DN="CN=ldapadm,CN=Users,DC=splunkldap,DC=com"
10-31-2014 10:33:13.788 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Bind successful
10-31-2014 10:33:13.796 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting to search subtree at DN="CN=Users,DC=splunkldap,DC=com" using filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Search duration="27.32 milliseconds"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" LDAP Server returned no entries in search for DN="CN=Users,DC=splunkldap,DC=com" filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))".
10-31-2014 10:33:13.824 +0800 ERROR AuthenticationManagerLDAP - Could not find user="splunk_network_test" with strategy="ldap_group"

Use the filter from the debug log to run the ldapsearch again to check.

filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"

View solution in original post

Reply
Solved! Jump to solution
Solution

daniel_splunk
Splunk Employee
Splunk Employee
‎10-30-2014 07:39 PM

Here are the steps to check what exact search splunk is using when connecting to AD.

Enable the following debug

ScopedLDAPConnection = DEBUG

AuthenticationManagerLDAP = DEBUG

From the splunkd.log, you will see record like this.

10-31-2014 10:33:13.785 +0800 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="splunk_network_test" from strategy="ldap_group"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Initializing with LDAPURL="ldap://10.10.10.10:389"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting bind as DN="CN=ldapadm,CN=Users,DC=splunkldap,DC=com"
10-31-2014 10:33:13.788 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Bind successful
10-31-2014 10:33:13.796 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting to search subtree at DN="CN=Users,DC=splunkldap,DC=com" using filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Search duration="27.32 milliseconds"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" LDAP Server returned no entries in search for DN="CN=Users,DC=splunkldap,DC=com" filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))".
10-31-2014 10:33:13.824 +0800 ERROR AuthenticationManagerLDAP - Could not find user="splunk_network_test" with strategy="ldap_group"

Use the filter from the debug log to run the ldapsearch again to check.

filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"

Reply
Solved! Jump to solution

stanwin
Contributor
‎08-20-2015 12:57 AM

DEBUG to be added to C:\Program Files\Splunk\etc\log.cfg

you should probably see below:

category.AuthenticationManagerLDAP=INFO

Change it to

category.AuthenticationManagerLDAP=DEBUG
category.ScopedLDAPConnection=DEBUG

0 Karma
Reply
Solved! Jump to solution

kevinalzaga
Observer
‎02-26-2019 02:05 PM

Hi @stanwin

I follow the steps you've provided. And tried to get the logs from _internal and this is what I saw. Would this mean that there is something wrong with the LDAP? If yes do you know what should we check?

2/26/19
9:15:46.797 PM

02-26-2019 21:15:46.797 +0000 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="galzaga!" from strategy="DxlMxxx_Host"

Thank you!

0 Karma
Reply
Solved! Jump to solution

stanwin
Contributor
‎02-28-2019 04:39 AM

Hello Kevinalzaga

Try to do 'Reload Authentication configuration' if you haven't done that yet..

You can see that in the SH UI :
Settings » Access controls » Authentication method

If this still does not help ; I would have tshoot session with your local LDAP admin.

That would be the best way to find the issue.

0 Karma
Reply
Solved! Jump to solution

kevinalzaga
Observer
‎02-26-2019 08:04 AM

Hi @stanwin

What will be the fix for this? try to change it to debug and found that my user could not find in LDAP.

2/26/19
3:57:48.671 PM

02-26-2019 15:57:48.671 +0000 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="galzaga!" from strategy="Delmonte_LDAP_Backup"
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
2/26/19
3:57:11.265 PM

02-26-2019 15:57:11.265 +0000 ERROR UiAuth - user=galzaga! action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" clientip=172.21.3.47
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
2/26/19
3:57:11.265 PM

02-26-2019 15:57:11.265 +0000 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="galzaga!" on any configured servers
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
2/26/19
3:57:11.265 PM

02-26-2019 15:57:11.265 +0000 INFO AuthenticationManagerLDAP - Could not find user="galzaga!" with strategy="DelMonte_LDAP"
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...