Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- LDAP Authentication Manager Errors
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a Splunk stand alone test system that I have successfully configured to use LDAP Authentication. Everything seems to be working fine but I am receiving a lot of errors from the Authentication Manager (see below) that is trying to obtain user information for the user 'system'. The user has never existed in as far as I can tell. I have also checked through the metadata files for any reference to the user but cannot find anything.
DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="**system**" from strategy="XXX-Strategy"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Initializing with LDAPURL="ldaps://XXX:636"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting bind as DN="CN=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Bind successful
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting to search subtree at DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX" using filter="(&(samaccountname=**system**)(displayname=*))"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Search duration="1477 microseconds"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" LDAP Server returned no entries in search for DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX" filter="(&(samaccountname=**system**)(displayname=*))".
As you can see there is a successful LDAP bind but then several failed attempts to enumerate the 'system' user (not repeated here). I have checked the archives and can only find references to the possiblity that 'system' may own some objects (searches, views etc) but I have checked all the *.meta files and cannot find any references to any non-existent users other than 'nobody' and 'splunk-system-user'. Can anyone shed any light?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This can happen if you have knowledge objects (searches, lookups, extractions) owned by a user who was at one point a user but now been removed.
Splunk will look for users initially in the local auth DB, and if not found will search LDAP. If it cant find that user in an LDAP DS, it will log that error
Splunk 'hides' KOs from the UI if the user does not exist, so you will need to grep through your meta files for that username, and change the owner to someone who still exists and the errors will cease.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This can happen if you have knowledge objects (searches, lookups, extractions) owned by a user who was at one point a user but now been removed.
Splunk will look for users initially in the local auth DB, and if not found will search LDAP. If it cant find that user in an LDAP DS, it will log that error
Splunk 'hides' KOs from the UI if the user does not exist, so you will need to grep through your meta files for that username, and change the owner to someone who still exists and the errors will cease.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update:
Just in case I had missed anything I thought I would try the following:
- I added a local user 'system' with a role that has no privileges - the error messages stop in splunkd.log.
- I then searched 'All configurations' for any objects in All Apps owned by this user and found no objects. This hopefully means I am not hitting the same problem that has previously been reported here: https://answers.splunk.com/answers/389664/why-does-splunk-continuously-attempt-to-find-a-use.html
This is a pretty vanilla install and I have installed one App/TA (Splunk for AWS) and configured LDAP. Everything appears to work just fine outwith the messages in the logs. I am prepared to ignore it but would be really happier if it could be resolved.
Other details that may be useful:
Splunk Enterprise Version: 7.0.0 64-Bit
OS: Amazon Linux AMI 2017.09
AWS App ver: 5.1.0
AWS TA ver: 4.4.0
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
