Hi,
I am trying to configure an Splunk's authentication by LDAP.
I have already registered LDAP server and mapped group and role in my Splunk 4.3.2.
It seems Splunk and LDAP server communicates. However, when I tried to login with a user registered in LDAP, the login failed.
I would like to troubleshoot this, but there is not much information about the log file to take a look at for the LDAP authentication troubleshooting regarding Splunk/LDAP Login.
Could anyone point me to the log file or information under SPLUNK_HOME?
Thanks,
hi melonman,
as always a good starting point is splunkd.log, check for any authentication errors. Remove any custom values you've added for userBaseFilter and groupBaseFilter. Use ldapsearch to manually test that the variables you are specifying will return the expected entries:
ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"
cheers,
MuS
I am posting this with the hope it will save someone the pain I just went through.
first of all some of the examples work, some do not.
if the bind works splunkd will not have and error. If it does not, splunkd.log will have errors. bind username as to be domain username for domain that has LDAP/AD connection.
use ADEDIT to get LDAP info.
first thing that is NOT mentioned anywhere that I was able to find in splunk answers
the bind username has to be added to the builtin Windows Authorization Access Group
This has to be done to allow splunk to validate user login.
So even after I got the conf file correct and could see groups, etc. I could not get the login to work...talk about days of screaming frustration.
Second big discovery, is if one of your domain admins loves to organize, splunk (or LDAP) does not deal will with nested OUs. So if users are deep within nested OUs, you will have to do as I did. Give path (i.e. distinguisedName) for every "group/OU".
hope this helps someone even a little.
at the bottom is a working authentication.conf file...with what should be obvious removal of company, domain information.
[domaincontroller]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=splunkbind, CN=Users, DC=companynamesystems, DC=com
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
userBaseFilter = (objectclass=*)
groupBaseDN = CN=Users, DC=companynamesystems,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domaincontroller.companynamesystems.com
nestedGroups = 1
comwork_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users, DC=companynamesystems, DC=com
userNameAttribute = samaccountname
[authentication]
authSettings = domaincontroller,domainname
authType = LDAP
[domainname]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = splunkbind
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
groupBaseDN = CN=splunk,DC=companyname,DC=com;
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domainnamedc02.companyname.com
nestedGroups = 1
comwork_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Sustained Engineering,OU=Corp,DC=companyname,DC=com;OU=Analytics,OU=Corp,DC=companyname,DC=com;OU=Customer Service,OU=Corp,DC=companyname,DC=com;OU=IT Staff,OU=Hyderabad,OU=Corp,DC=companyname,DC=com;OU=Management,OU=Corp,DC=companyname,DC=com;OU=Product Development,OU=Corp,DC=companyname,DC=com;OU=GlobalLogic,OU=Corp,DC=companyname,DC=com;OU=QA,OU=Corp,DC=companyname,DC=com;
userNameAttribute = samaccountname
[roleMap_domainname]
admin = SplunkAdmin
user = SplunkUsers
[roleMap_domaincontroller]
I am so deeply grateful for this post - I think you just solved my problem.
hi melonman,
as always a good starting point is splunkd.log, check for any authentication errors. Remove any custom values you've added for userBaseFilter and groupBaseFilter. Use ldapsearch to manually test that the variables you are specifying will return the expected entries:
ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"
cheers,
MuS
Thanks, MuS!