Hello I'm trying to configure Splunk 7.3.0 (657388c7a488) with LDAP authentication but it keeps failing during the setup with the error:
"Encountered the following error while trying to save: Could not find userBaseDN on the LDAP server: ou=Active Staff,ou=People,dc=mydomain,dc=edu"
After lots of debugging the ldap search it uses during the base configuration uses "Attributes 1.1" for LDAP.
ie This search works on our LDAP:
ldapsearch -x -H ldaps://10.231.4.20:636 -D "uid=cam34,ou=Active Staff,ou=People,dc=mydomain,dc=edu" -W -b "ou=Active Staff,ou=People,dc=mydomain,dc=edu" "(objectclass=*)"
How ever the following fails to return results:
ldapsearch -x -H ldaps://10.231.4.20:636 -D "uid=cam34,ou=Active Staff,ou=People,dc=mydomain,dc=edu" -W -b "ou=Active Staff,ou=People,dc=mydomain,dc=edu" "(objectclass=*)" 1.1
This "1.1" type search is what Splunk is trying to use.
How can I change this behaviour in Splunk?
Thanks
Cam
Solved it myself...
Turns out the problem was with the LDAP Proxy software itself (glauth).
Seems glauth doesnt understand attributes only searches ([github]/glauth/glauth/issues/89)
Solved it myself...
Turns out the problem was with the LDAP Proxy software itself (glauth).
Seems glauth doesnt understand attributes only searches ([github]/glauth/glauth/issues/89)
No sorry - From the debugging I can see the search its failing on.
Definately an issue with attributes 1.1
09:57:43.048353 Search ▶ DEBU 01c Search req to backend: &ldap.SearchRequest{
BaseDN: "ou=Active Staff,ou=People,dc=mydomain,dc=edu",
Scope: 0,
DerefAliases: 0,
SizeLimit: 1000,
TimeLimit: 15,
TypesOnly: false,
Filter: "(objectclass=*)",
Attributes: {"1.1"},
Controls: {
},
}
09:57:43.050451 Search ▶ DEBU 01d Backend Search result: &ldap.SearchResult{
Entries: {
&ldap.Entry{
DN: "ou=Active Staff,ou=People,dc=mydomain,dc=edu",
Attributes: nil,
},
},
Referrals: {},
Controls: {
},
}
I recently got similar issues with userBaseDN messages. But my problem was with groupBaseDN
https://answers.splunk.com/answers/758767/ldap-configuration-issue.html
Did you provide groupBaseDN while defining your LDAP strategy?
groupBaseDN - a complete DN (including CN) of your LDAP group