Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I have this problem to configure Active Directory splunk 8.1.1

Elisvan
Engager
‎01-27-2021 04:04 AM

Error

01-27-2021 08:08:46.410 -0300 WARN ScopedLDAPConnection - strategy="SIEM" LDAP Server returned warning in search for DN="OU=XX,DC=XX,DC=XX,DC=br". reason="Size limit exceeded"

1-27-2021 08:08:46.411 -0300 ERROR AdminHandler:AuthenticationHandler - Failed to retrieve a group with these settings. Consult your LDAP admin or see splunkd.log with ScopedLDAPConnection set to DEBUG for more information.

We have Splunk 8.1.1 over SUSE 12 and we are trying to connect to AD in order to allow some specific groups. The problem is that Splunk can only "see" a few groups. We have been changing de OU, all kind of conditions and the problem is the same. It is not a permission problem because other tools with the same user can see all groups. We have around +9.000 groups in AD.  Splunk is able to see just 354 groups. We tried to include a static group to minimize the number of occurrencies, but Splunk is not able to find the correct groups. It only see olders groups in AD. The new group that we create for this, it can't see. What are the options to find the problem? Any others passed for this?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Elisvan
Engager
‎01-28-2021 06:34 AM

We finally understand the issue. The groups were empty. When we included an user inside the group, all of them appears in the LDAP integration. the big problem is in the splunk error message which has nothing to indicate that this would be the root cause. In summary I put the user in the group problem solved.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-27-2021 05:00 AM

Hi

By default splunk gets only 1000 items. So you should increase that value in authentication.conf sizelimit = 10000 or what is you current maximum amount of id:s + some spare over it.

https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Authenticationconf

r. Ismo

0 Karma
Reply
Solved! Jump to solution
Solution

Elisvan
Engager
‎01-28-2021 06:34 AM

We finally understand the issue. The groups were empty. When we included an user inside the group, all of them appears in the LDAP integration. the big problem is in the splunk error message which has nothing to indicate that this would be the root cause. In summary I put the user in the group problem solved.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...