Security

LDAP Map users to roles

Raghav2384
Motivator

Working LDAP where i can map LDAP groups to roles.
[XYZ Corporate AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=a1dpsapacheuser,OU=Administrative,DC=CORP,DC=XYZ,DC=com
bindDNpassword = password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Groups,OU=Location Corporate,OU=ABC,DC=CORP,DC=XYZ,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = x.x.x.x
nestedGroups = 0
network_timeout = -1
port = 636
realNameAttribute = givenname
sizelimit = 1000000
timelimit = 29
userBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
userNameAttribute = samaccountname

[roleMap_XYZ Corporate AD]
admin = XYZ - Admin Splunk Distribution
splunkuser = GlobalUsers

[authentication]
authSettings = XYZ Corporate AD
authType = LDAP


Trying to achieve, LDAP map users to Roles. I have followed
http://answers.splunk.com/answers/43842/mapping-ldap-user-to-roles-matched-groups-are-not-found-in-r... &
http://docs.splunk.com/Documentation/Splunk/6.2.0/Security/ConfigureLDAPwithconfigurationfiles as is but no luck. Here's the config i came up with

[XYZ Corporate AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=a1dpsapacheuser,OU=Administrative,DC=CORP,DC=XYZ,DC=com
bindDNpassword = password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
groupBaseFilter = (|(samaccountname=*))
groupMappingAttribute = samaccountname
groupMemberAttribute = samaccountname
groupNameAttribute = samaccountname
host = x.x.x.x
nestedGroups = 0
network_timeout = -1
port = 636
realNameAttribute = cn
sizelimit = 1000000
timelimit = 29
userBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
userNameAttribute = samaccountname

[roleMap_XYZ Corporate AD]
newadmin = rgomatha

[authentication]
authSettings = XYZ Corporate AD
authType = LDAP

And i can't login. Is it because we have too many groups? I am sure more than 1000! What am i doing wrong?

Thanks in advance!
Regards,
Raghav

0 Karma
1 Solution

Raghav2384
Motivator

Looks like i have to go with AD groups to Splunk roles instead of Users to Splunk roles for lot of reasons.

Thanks to Charlie for adding weight to the approach 1

View solution in original post

0 Karma

Raghav2384
Motivator

Looks like i have to go with AD groups to Splunk roles instead of Users to Splunk roles for lot of reasons.

Thanks to Charlie for adding weight to the approach 1

0 Karma

Raghav2384
Motivator

So, i guess the culprit was the LDAP group (Too big to handle i guess). Once i picked a relatively smaller group, it started to show users as groups and let me add users to individual roles. Now the problem is, it's not reflecting until i restart splunkd every addition/updates. Is there any other way to avoid the restart as it could become a pain with more and more users request access 🙂

P.S: Though debug/refresh isn't going refresh authentication...tried it to just to be sure. Didn't work 😞

0 Karma

acharlieh
Influencer

Why do you want to map users directly to roles in Splunk? As you've found out changing mappings you're going to likely wind up with restarts. If you could get your AD Admin to delegate you an OU for Splunk groups, and create groups per Splunk role in that OU, then adding/removing users to roles requires no restart. (As you're then just adding / removing users to groups within AD... the mapping stays the same).

Raghav2384
Motivator

I agree and that's how we had it configured first. We have close to 80 indexes and the ask is to have different levels of elevated privileges to individuals (i know exactly how this sounds :)). So even if i create 100 roles in Splunk , since i cannot have everyone from that One Mega Splunk AD group access it, this route. Please let me know if you have a better strategy and i can certainly propose it 🙂

In a nut shell, cannot request multiple AD groups, Can create whatever no. of roles in splunk i can, several levels of user access required.

Thank you Charlie!

Regards,
Raghav

0 Karma

acharlieh
Influencer

As several levels of user access are required, make a role and corresponding LDAP group that maps to each piece you want to authorize. If a user needs 3 different levels of access, add his account to the 3 corresponding LDAP groups. As a user, you can have multiple roles in Splunk (like you can be a member of multiple groups in Active Directory).

Raghav2384
Motivator

Yeah, i proposed the exact same...manage more from AD side and role....i guess some people just don't get it 🙂 Thanks Charlie..cheers!

acharlieh
Influencer

LOL... Well now you can tell them that a random person on an internet forum thinks you're right!

Honestly, I had about 3-6 months of debates before I was able to convince those who controlled our AD infrastructure that delegating an OU for Splunk groups was the correct course of action. I can only wish you best of luck!

Raghav2384
Motivator

Thanks again for you help Charlie.....Cheers!

0 Karma

acharlieh
Influencer

Is "newadmin" a role defined in authorize.conf? Does the newadmin role extend the built in "user" role? (There is a way to enable login for roles that aren't user but it's tricky last I remember)

0 Karma

Raghav2384
Motivator

Correct, i created a role newadmin. It is inherited from built-in admin role

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...