Security

LDAP authentication to multiple domains

dbylertbg
Path Finder

I have two LDAP strategies defined, one to domain1 and one to domain2. In both domains I have a user named "SplunkAdmin". Both ldap strategies have roles mapped to the groups that contain the SplunkAdmin user for each domain. However, in the "users" list, I only see one entry for "SplunkAdmin". How do I allow both users to access Splunk? (I have tried specifying the domain in the username box, i.e. domain1\splunkadmin or splunkadmin@domain1 as the username, but this approach does not seem to work.)

0 Karma

grijhwani
Motivator

The only way to do this would be to have distinct users in distinct domains. I don't see how you would expect to see two different users when there is nothing to distinguish the name. The login (and user list) will match the first instance it finds according to the ordering of the domain strategies.

You could do what I have had to do recently, use a domain-specific attribute for the user name, and use logins SlunkAdmin@domain.one and SplunkAdmin@domain.two. Of course this depends entirely on how you have your LDAP configured on the domain controller side.

0 Karma

dbylertbg
Path Finder

Re: using an alternate domain-specific attribute for the user name: This would require significant effort on the AD side to ensure that unique attributes exists for each user in question. It may be our only option, though.

0 Karma

dbylertbg
Path Finder

In an AD environment you can specify a domain to attempt to log in to by entering the username in the format "DOMAIN\ussername" or "username@DOMAIN". I was hoping that Splunk could be configured to accept the same format.

0 Karma

dbylertbg
Path Finder

Working with Splunk support, it appears that there is no way to specify the domain when logging in. Instead, you must find an alternate 'user' attribute to match on, and the attributes must be unique between the two domains.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...