Security

LDAP Map users to roles

Raghav2384
Motivator

Working LDAP where i can map LDAP groups to roles.
[XYZ Corporate AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=a1dpsapacheuser,OU=Administrative,DC=CORP,DC=XYZ,DC=com
bindDNpassword = password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=Groups,OU=Location Corporate,OU=ABC,DC=CORP,DC=XYZ,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = x.x.x.x
nestedGroups = 0
network_timeout = -1
port = 636
realNameAttribute = givenname
sizelimit = 1000000
timelimit = 29
userBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
userNameAttribute = samaccountname

[roleMap_XYZ Corporate AD]
admin = XYZ - Admin Splunk Distribution
splunkuser = GlobalUsers

[authentication]
authSettings = XYZ Corporate AD
authType = LDAP


Trying to achieve, LDAP map users to Roles. I have followed
http://answers.splunk.com/answers/43842/mapping-ldap-user-to-roles-matched-groups-are-not-found-in-r... &
http://docs.splunk.com/Documentation/Splunk/6.2.0/Security/ConfigureLDAPwithconfigurationfiles as is but no luck. Here's the config i came up with

[XYZ Corporate AD]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=a1dpsapacheuser,OU=Administrative,DC=CORP,DC=XYZ,DC=com
bindDNpassword = password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
groupBaseFilter = (|(samaccountname=*))
groupMappingAttribute = samaccountname
groupMemberAttribute = samaccountname
groupNameAttribute = samaccountname
host = x.x.x.x
nestedGroups = 0
network_timeout = -1
port = 636
realNameAttribute = cn
sizelimit = 1000000
timelimit = 29
userBaseDN = OU=ABC,DC=CORP,DC=XYZ,DC=com
userNameAttribute = samaccountname

[roleMap_XYZ Corporate AD]
newadmin = rgomatha

[authentication]
authSettings = XYZ Corporate AD
authType = LDAP

And i can't login. Is it because we have too many groups? I am sure more than 1000! What am i doing wrong?

Thanks in advance!
Regards,
Raghav

0 Karma
1 Solution

Raghav2384
Motivator

Looks like i have to go with AD groups to Splunk roles instead of Users to Splunk roles for lot of reasons.

Thanks to Charlie for adding weight to the approach 1

View solution in original post

0 Karma

Raghav2384
Motivator

Looks like i have to go with AD groups to Splunk roles instead of Users to Splunk roles for lot of reasons.

Thanks to Charlie for adding weight to the approach 1

0 Karma

Raghav2384
Motivator

So, i guess the culprit was the LDAP group (Too big to handle i guess). Once i picked a relatively smaller group, it started to show users as groups and let me add users to individual roles. Now the problem is, it's not reflecting until i restart splunkd every addition/updates. Is there any other way to avoid the restart as it could become a pain with more and more users request access 🙂

P.S: Though debug/refresh isn't going refresh authentication...tried it to just to be sure. Didn't work 😞

0 Karma

acharlieh
Influencer

Why do you want to map users directly to roles in Splunk? As you've found out changing mappings you're going to likely wind up with restarts. If you could get your AD Admin to delegate you an OU for Splunk groups, and create groups per Splunk role in that OU, then adding/removing users to roles requires no restart. (As you're then just adding / removing users to groups within AD... the mapping stays the same).

Raghav2384
Motivator

I agree and that's how we had it configured first. We have close to 80 indexes and the ask is to have different levels of elevated privileges to individuals (i know exactly how this sounds :)). So even if i create 100 roles in Splunk , since i cannot have everyone from that One Mega Splunk AD group access it, this route. Please let me know if you have a better strategy and i can certainly propose it 🙂

In a nut shell, cannot request multiple AD groups, Can create whatever no. of roles in splunk i can, several levels of user access required.

Thank you Charlie!

Regards,
Raghav

0 Karma

acharlieh
Influencer

As several levels of user access are required, make a role and corresponding LDAP group that maps to each piece you want to authorize. If a user needs 3 different levels of access, add his account to the 3 corresponding LDAP groups. As a user, you can have multiple roles in Splunk (like you can be a member of multiple groups in Active Directory).

Raghav2384
Motivator

Yeah, i proposed the exact same...manage more from AD side and role....i guess some people just don't get it 🙂 Thanks Charlie..cheers!

acharlieh
Influencer

LOL... Well now you can tell them that a random person on an internet forum thinks you're right!

Honestly, I had about 3-6 months of debates before I was able to convince those who controlled our AD infrastructure that delegating an OU for Splunk groups was the correct course of action. I can only wish you best of luck!

Raghav2384
Motivator

Thanks again for you help Charlie.....Cheers!

0 Karma

acharlieh
Influencer

Is "newadmin" a role defined in authorize.conf? Does the newadmin role extend the built in "user" role? (There is a way to enable login for roles that aren't user but it's tricky last I remember)

0 Karma

Raghav2384
Motivator

Correct, i created a role newadmin. It is inherited from built-in admin role

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...