Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LDAP authentication error: user has matching LDAP groups but none are mapped to Splunk roles

yyogev
New Member
‎06-23-2014 01:34 AM

Hi,

My LDAP setup in etc/system/local/authentication.conf produces the following error when I try to authenticate with my crentials:

06-23-2014 00:08:24.563 -0700 ERROR AuthenticationManagerLDAP - user="yayogev" has matching LDAP groups with strategy="ldap_AD", but none are mapped to Splunk roles
06-23-2014 00:08:24.564 -0700 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="yayogev" on any configured servers

I tested with ldapsearch as suggested in thw "Test your LDAP configuration" page in the docs, and I got the expected results. On the other hand, in the Web UI undr "Access controls » Authentication method » LDAP strategies » LDAP Groups" I see a very partial list of groups.

Here are the contents of authentication.conf (anonimized):

[authentication]
authType = LDAP
authSettings = ldap_AD

[ldap_AD]
host = ad.mycompany.com
port = 636
SSLEnabled = 1
bindDN = <bind-dn>
bindDNpassword = <...>
userBaseDN = OU=Employees, OU=My Company Users, DC=dev, DC=mycompany, DC=com
groupBaseDN = OU=My Company Groups,DC=dev,DC=mycompany, DC=com
groupBaseFilter = (objectclass=group)
userNameAttribute = sAMAccountName
realNameAttribute = cn
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
timelimit = 10
network_timeout = 15

[roleMap_ldap_AD_usergroups]
admin = mygroup-splunk-admins
power = mygroup-core
0 Karma
Reply

jsrobard
Explorer
‎03-20-2017 12:03 PM

Your [roleMap_???] stanza is incorrect.

The ??? must match the value you specified in the LDAP settings stanza name, in your case "ldap_AD". So the third stanza name should be [roleMap_ldap_AD] not [roleMap_ldap_AD_usergroups].

Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...