Security

LDAP Authentication Manager Errors

james190190
Explorer

Hi,

I have a Splunk stand alone test system that I have successfully configured to use LDAP Authentication. Everything seems to be working fine but I am receiving a lot of errors from the Authentication Manager (see below) that is trying to obtain user information for the user 'system'. The user has never existed in as far as I can tell. I have also checked through the metadata files for any reference to the user but cannot find anything.

DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="**system**" from strategy="XXX-Strategy"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Initializing with LDAPURL="ldaps://XXX:636"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting bind as DN="CN=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Bind successful
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting to search subtree at DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"  using filter="(&(samaccountname=**system**)(displayname=*))"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Search duration="1477 microseconds"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" LDAP Server returned no entries in search for DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX" filter="(&(samaccountname=**system**)(displayname=*))".

As you can see there is a successful LDAP bind but then several failed attempts to enumerate the 'system' user (not repeated here). I have checked the archives and can only find references to the possiblity that 'system' may own some objects (searches, views etc) but I have checked all the *.meta files and cannot find any references to any non-existent users other than 'nobody' and 'splunk-system-user'. Can anyone shed any light?

0 Karma
1 Solution

nickhills
Ultra Champion

This can happen if you have knowledge objects (searches, lookups, extractions) owned by a user who was at one point a user but now been removed.

Splunk will look for users initially in the local auth DB, and if not found will search LDAP. If it cant find that user in an LDAP DS, it will log that error

Splunk 'hides' KOs from the UI if the user does not exist, so you will need to grep through your meta files for that username, and change the owner to someone who still exists and the errors will cease.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

This can happen if you have knowledge objects (searches, lookups, extractions) owned by a user who was at one point a user but now been removed.

Splunk will look for users initially in the local auth DB, and if not found will search LDAP. If it cant find that user in an LDAP DS, it will log that error

Splunk 'hides' KOs from the UI if the user does not exist, so you will need to grep through your meta files for that username, and change the owner to someone who still exists and the errors will cease.

If my comment helps, please give it a thumbs up!
0 Karma

james190190
Explorer

Update:

Just in case I had missed anything I thought I would try the following:

  1. I added a local user 'system' with a role that has no privileges - the error messages stop in splunkd.log.
  2. I then searched 'All configurations' for any objects in All Apps owned by this user and found no objects. This hopefully means I am not hitting the same problem that has previously been reported here: https://answers.splunk.com/answers/389664/why-does-splunk-continuously-attempt-to-find-a-use.html

This is a pretty vanilla install and I have installed one App/TA (Splunk for AWS) and configured LDAP. Everything appears to work just fine outwith the messages in the logs. I am prepared to ignore it but would be really happier if it could be resolved.

Other details that may be useful:

Splunk Enterprise Version: 7.0.0 64-Bit
OS: Amazon Linux AMI 2017.09
AWS App ver: 5.1.0
AWS TA ver: 4.4.0

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...