Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why one user within a LDAP Group cannot login to Splunk, but other users are fine?

daniel_splunk
Splunk Employee
Splunk Employee
‎10-30-2014 07:28 PM

I've 5 LDAP users defined in a LDAP group and 4 of them login to splunk successfully. Only one of them got problem.

From the log, I got the following.

08-04-2014 13:22:47.861 +1000 ERROR AuthenticationManagerLDAP - Could not find user="splunk_network_test" with strategy="AD"

08-04-2014 13:22:47.861 +1000 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="splunk_network_test" on any configured servers

When I run ldapsearch, user details returned successfully. I use the same bind user/password as splunk does.

What is the next step to troubleshooting this?

Reply
1 Solution
Solved! Jump to solution
Solution

daniel_splunk
Splunk Employee
Splunk Employee
‎10-30-2014 07:39 PM

Here are the steps to check what exact search splunk is using when connecting to AD.

Enable the following debug

ScopedLDAPConnection = DEBUG

AuthenticationManagerLDAP = DEBUG

From the splunkd.log, you will see record like this.

10-31-2014 10:33:13.785 +0800 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="splunk_network_test" from strategy="ldap_group"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Initializing with LDAPURL="ldap://10.10.10.10:389"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting bind as DN="CN=ldapadm,CN=Users,DC=splunkldap,DC=com"
10-31-2014 10:33:13.788 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Bind successful
10-31-2014 10:33:13.796 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting to search subtree at DN="CN=Users,DC=splunkldap,DC=com" using filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Search duration="27.32 milliseconds"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" LDAP Server returned no entries in search for DN="CN=Users,DC=splunkldap,DC=com" filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))".
10-31-2014 10:33:13.824 +0800 ERROR AuthenticationManagerLDAP - Could not find user="splunk_network_test" with strategy="ldap_group"

Use the filter from the debug log to run the ldapsearch again to check.

filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"

View solution in original post

Reply
Solved! Jump to solution
Solution

daniel_splunk
Splunk Employee
Splunk Employee
‎10-30-2014 07:39 PM

Here are the steps to check what exact search splunk is using when connecting to AD.

Enable the following debug

ScopedLDAPConnection = DEBUG

AuthenticationManagerLDAP = DEBUG

From the splunkd.log, you will see record like this.

10-31-2014 10:33:13.785 +0800 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="splunk_network_test" from strategy="ldap_group"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Initializing with LDAPURL="ldap://10.10.10.10:389"
10-31-2014 10:33:13.785 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting bind as DN="CN=ldapadm,CN=Users,DC=splunkldap,DC=com"
10-31-2014 10:33:13.788 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Bind successful
10-31-2014 10:33:13.796 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Attempting to search subtree at DN="CN=Users,DC=splunkldap,DC=com" using filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" Search duration="27.32 milliseconds"
10-31-2014 10:33:13.824 +0800 DEBUG ScopedLDAPConnection - strategy="ldap_group" LDAP Server returned no entries in search for DN="CN=Users,DC=splunkldap,DC=com" filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))".
10-31-2014 10:33:13.824 +0800 ERROR AuthenticationManagerLDAP - Could not find user="splunk_network_test" with strategy="ldap_group"

Use the filter from the debug log to run the ldapsearch again to check.

filter="(&(samaccountname=splunk_network_test)(objectclass=user)(displayname=*))"

Reply
Solved! Jump to solution

stanwin
Contributor
‎08-20-2015 12:57 AM

DEBUG to be added to C:\Program Files\Splunk\etc\log.cfg

you should probably see below:

category.AuthenticationManagerLDAP=INFO

Change it to

category.AuthenticationManagerLDAP=DEBUG
category.ScopedLDAPConnection=DEBUG

0 Karma
Reply
Solved! Jump to solution

kevinalzaga
Observer
‎02-26-2019 02:05 PM

Hi @stanwin

I follow the steps you've provided. And tried to get the logs from _internal and this is what I saw. Would this mean that there is something wrong with the LDAP? If yes do you know what should we check?

2/26/19
9:15:46.797 PM

02-26-2019 21:15:46.797 +0000 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="galzaga!" from strategy="DxlMxxx_Host"

Thank you!

0 Karma
Reply
Solved! Jump to solution

stanwin
Contributor
‎02-28-2019 04:39 AM

Hello Kevinalzaga

Try to do 'Reload Authentication configuration' if you haven't done that yet..

You can see that in the SH UI :
Settings » Access controls » Authentication method

If this still does not help ; I would have tshoot session with your local LDAP admin.

That would be the best way to find the issue.

0 Karma
Reply
Solved! Jump to solution

kevinalzaga
Observer
‎02-26-2019 08:04 AM

Hi @stanwin

What will be the fix for this? try to change it to debug and found that my user could not find in LDAP.

2/26/19
3:57:48.671 PM

02-26-2019 15:57:48.671 +0000 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="galzaga!" from strategy="Delmonte_LDAP_Backup"
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
2/26/19
3:57:11.265 PM

02-26-2019 15:57:11.265 +0000 ERROR UiAuth - user=galzaga! action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36" clientip=172.21.3.47
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
2/26/19
3:57:11.265 PM

02-26-2019 15:57:11.265 +0000 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="galzaga!" on any configured servers
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
2/26/19
3:57:11.265 PM

02-26-2019 15:57:11.265 +0000 INFO AuthenticationManagerLDAP - Could not find user="galzaga!" with strategy="DelMonte_LDAP"
host = ip-172-21-3-163.dmfi.delmonte.com source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd

0 Karma
Reply
Get Updates on the Splunk Community!

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...

This month, we’re delivering several platform, infrastructure, application and digital experience monitoring ...
li.common.scroll-to.top