- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- LDAP authentication in Splunk is not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have recently configured splunk to use ldap authentication. The configuration is pretty straight forward, I can see the AD group and the AD group member from splunk and map it with splunk role but somehow it failed to authentication.
The only errors I can find in the splunkd log are as below. Question 1: If it is working fine, I need to put only username "_splunk" without the domain prefix and postfix right?
09-013-2016 17:09:52.454 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="_splunk" on any configured servers
09-013-2016 17:13:18.432 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="test_splunk" on any configured servers
09-013-2016 17:15:11.330 +0800 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="_splunk@test.com" on any configured servers
My authentication.conf:
[authentication]
authSettings = testldap
authType = LDAP
[testldap]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=_splunk,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
bindDNpassword = $1$56ExJUjhTyFZzzzxZC
charset = utf8
emailAttribute = mail
groupBaseDN = CN=TEST-SPL-ADMIN,OU=Server Group,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc.test.com
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 3000
timelimit = 15
userBaseDN = CN=TEST-SPL-ADMIN,OU=Server Group,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com
userNameAttribute = samaccountname
[roleMap_testldap]
admin = TEST-SPL-ADMIN
Note:
-I have tried to disable SSL and use port 389 for binding but no help.
have tried to use domain admin account "_testadmin" as bindDN but not help.
have used a newly created domain account "_splunk" with read only permission to the AD group "TEST-SPL-ADMIN", add this account to windows authorization access group in the specify domain controller but no help.
-In the quick testing, I have domain admin account "_testadmin" added as group member of the AD group "TEST-SPL-ADMIN" which I would like to use for authentication. This same with another account I used to test binding "_splunk", it is a member of the AD group "TEST-SPL-ADMIN" aslo. My bindDN I tried are "CN=_splunk,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com" and "CN=_testadmin,OU=Admin Users,OU=TEST - Global Admins,OU=Organization Unit,DC=test,DC=com"
Any solution or hint to troubleshoot it will be much appreciated. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally solved. The problem was due to userBaseDN value.
It should not be same as the value I set for groupBaseDN. Instead, it should be DN where AD user is first created, e.g OU=Users,OU=xx,OU=xx - xxxx,OU=xx - Users Computers Groups,OU=Organization Unit,DC=test,DC=com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally solved. The problem was due to userBaseDN value.
It should not be same as the value I set for groupBaseDN. Instead, it should be DN where AD user is first created, e.g OU=Users,OU=xx,OU=xx - xxxx,OU=xx - Users Computers Groups,OU=Organization Unit,DC=test,DC=com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou much..
It helped greatly. Past 3 days I was struggling without proper solution.
This simple answer helped me.
To add DN where AD user is first created.. ✅
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a thought; there's a few hints on the interwebs of random things having issues with underscores. Could you try using all CNs, OUs and names without leading underscores to see what happens?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tested but this is not the cause. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried running the command ./splunk reload auth on your search heads and logging in again. Sometimes changes to AD take time to propagate. You might try after a while to see if it works. In any case, try reloading the auth before you try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a service account that was failing authentication. We fixed the account OU and it still did not authenticate. Refreshing authentication configuration helped in refreshing the cache. Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sk314, I have clicked "Reload authentication configuration" button from the Splunk web UI but the problem was still the same. The reload button actually do the same thing as running ./splunk reload auth command right?
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
