Security
Highlighted

LDAP authentication troubleshooting information

Motivator

Hi,

I am trying to configure an Splunk's authentication by LDAP.

I have already registered LDAP server and mapped group and role in my Splunk 4.3.2.

It seems Splunk and LDAP server communicates. However, when I tried to login with a user registered in LDAP, the login failed.

I would like to troubleshoot this, but there is not much information about the log file to take a look at for the LDAP authentication troubleshooting regarding Splunk/LDAP Login.

Could anyone point me to the log file or information under SPLUNK_HOME?

Thanks,

Tags (1)
0 Karma
Highlighted

Re: LDAP authentication troubleshooting information

SplunkTrust
SplunkTrust

hi melonman,

as always a good starting point is splunkd.log, check for any authentication errors. Remove any custom values you've added for userBaseFilter and groupBaseFilter. Use ldapsearch to manually test that the variables you are specifying will return the expected entries:

ldapsearch  -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn"  "userNameAttribute=*"

cheers,

MuS

View solution in original post

Highlighted

Re: LDAP authentication troubleshooting information

Motivator

Thanks, MuS!

0 Karma
Highlighted

Re: LDAP authentication troubleshooting information

Explorer

This post will only help Windows/splunk/AD/LDAP people.

I am posting this with the hope it will save someone the pain I just went through.
first of all some of the examples work, some do not.
if the bind works splunkd will not have and error. If it does not, splunkd.log will have errors. bind username as to be domain username for domain that has LDAP/AD connection.
use ADEDIT to get LDAP info.

first thing that is NOT mentioned anywhere that I was able to find in splunk answers
the bind username has to be added to the builtin Windows Authorization Access Group
This has to be done to allow splunk to validate user login.
So even after I got the conf file correct and could see groups, etc. I could not get the login to work...talk about days of screaming frustration.

Second big discovery, is if one of your domain admins loves to organize, splunk (or LDAP) does not deal will with nested OUs. So if users are deep within nested OUs, you will have to do as I did. Give path (i.e. distinguisedName) for every "group/OU".
hope this helps someone even a little.

at the bottom is a working authentication.conf file...with what should be obvious removal of company, domain information.

Basic LDAP configuration

[domaincontroller]
SSLEnabled = 0
anonymousreferrals = 1
bindDN = CN=splunkbind, CN=Users, DC=companynamesystems, DC=com
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
userBaseFilter = (objectclass=*)
groupBaseDN = CN=Users, DC=companynamesystems,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domaincontroller.companynamesystems.com
nestedGroups = 1
comwork
timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users, DC=companynamesystems, DC=com
userNameAttribute = samaccountname

[authentication]
authSettings = domaincontroller,domainname
authType = LDAP

[domainname]
SSLEnabled = 0
anonymousreferrals = 0
bindDN = splunkbind
bindDNpassword = $1$mPYcaZ61L2FkKdex83/gjH0mnz9uwVDC40B4mSM=
charset = utf8
groupBaseDN = CN=splunk,DC=companyname,DC=com;
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domainnamedc02.companyname.com
nestedGroups = 1
comwork
timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Sustained Engineering,OU=Corp,DC=companyname,DC=com;OU=Analytics,OU=Corp,DC=companyname,DC=com;OU=Customer Service,OU=Corp,DC=companyname,DC=com;OU=IT Staff,OU=Hyderabad,OU=Corp,DC=companyname,DC=com;OU=Management,OU=Corp,DC=companyname,DC=com;OU=Product Development,OU=Corp,DC=companyname,DC=com;OU=GlobalLogic,OU=Corp,DC=companyname,DC=com;OU=QA,OU=Corp,DC=companyname,DC=com;
userNameAttribute = samaccountname

[roleMap_domainname]
admin = SplunkAdmin
user = SplunkUsers

[roleMap_domaincontroller]

Highlighted

Re: LDAP authentication troubleshooting information

Path Finder

I am so deeply grateful for this post - I think you just solved my problem.

0 Karma