Hi,
I have a Splunk stand alone test system that I have successfully configured to use LDAP Authentication. Everything seems to be working fine but I am receiving a lot of errors from the Authentication Manager (see below) that is trying to obtain user information for the user 'system'. The user has never existed in as far as I can tell. I have also checked through the metadata files for any reference to the user but cannot find anything.
DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="**system**" from strategy="XXX-Strategy"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Initializing with LDAPURL="ldaps://XXX:636"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting bind as DN="CN=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Bind successful
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting to search subtree at DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX" using filter="(&(samaccountname=**system**)(displayname=*))"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Search duration="1477 microseconds"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" LDAP Server returned no entries in search for DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX" filter="(&(samaccountname=**system**)(displayname=*))".
As you can see there is a successful LDAP bind but then several failed attempts to enumerate the 'system' user (not repeated here). I have checked the archives and can only find references to the possiblity that 'system' may own some objects (searches, views etc) but I have checked all the *.meta files and cannot find any references to any non-existent users other than 'nobody' and 'splunk-system-user'. Can anyone shed any light?
This can happen if you have knowledge objects (searches, lookups, extractions) owned by a user who was at one point a user but now been removed.
Splunk will look for users initially in the local auth DB, and if not found will search LDAP. If it cant find that user in an LDAP DS, it will log that error
Splunk 'hides' KOs from the UI if the user does not exist, so you will need to grep through your meta files for that username, and change the owner to someone who still exists and the errors will cease.
This can happen if you have knowledge objects (searches, lookups, extractions) owned by a user who was at one point a user but now been removed.
Splunk will look for users initially in the local auth DB, and if not found will search LDAP. If it cant find that user in an LDAP DS, it will log that error
Splunk 'hides' KOs from the UI if the user does not exist, so you will need to grep through your meta files for that username, and change the owner to someone who still exists and the errors will cease.
Update:
Just in case I had missed anything I thought I would try the following:
This is a pretty vanilla install and I have installed one App/TA (Splunk for AWS) and configured LDAP. Everything appears to work just fine outwith the messages in the logs. I am prepared to ignore it but would be really happier if it could be resolved.
Other details that may be useful:
Splunk Enterprise Version: 7.0.0 64-Bit
OS: Amazon Linux AMI 2017.09
AWS App ver: 5.1.0
AWS TA ver: 4.4.0