Security

LDAP authentication with client certificates - SASL and TLS

vegitron
Engager

I'm trying to connect Splunk to and LDAP server that requires authentication with client x509 certificates.

Based on http://docs.splunk.com/Documentation/Splunk/latest/Security/TestyourLDAPconfiguration, I've been working with ldapsearch, a .ldaprc file, and trying to move the settings into splunk's authentication.conf and etc/openldap/ldap.conf.

This is the content of my ldap.conf file:

ssl start_tls
TLS_REQCERT demand
TLS_CERT [cert_path]/app.cert
TLS_KEY [cert_path]/app.key
TLS_CACERT [cert_pat]/ca.cert
TLS_CACERTDIR [cert_path]
SASL_MECH EXTERNAL

I have my system logging set to debug for AuthenticationManagerLDAP and ScopedLDAPConnection, and this is what I get:

02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Initializing with LDAPURL="ldap://[ldap_host]:389"
02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting anonymous bind
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Bind successful
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to read entry at DN="[dn]"
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to search subtree at DN="[dn]" using filter=""
02-21-2013 15:05:51.989 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Search duration="13.68 milliseconds"
02-21-2013 15:05:51.989 -0800 ERROR ScopedLDAPConnection - strategy="LDAP" Could not read invalid entry at DN="[dn]"
02-21-2013 15:05:51.989 -0800 ERROR AdminHandler:AuthenticationHandler - Could not find userBaseDN on the LDAP server: [dn]

From that, it looks like the client cert configuration, and the SASL EXTERNAL mechanism are being ignored. This configuration has worked with ldapsearch, and the perl libraries Net::LDAP and Authen::SASL.

Is it possible to use client certificates in this way with Splunk, and if so, what configuration am I missing?

thanks,
Patrick

Tags (3)

psow_splunk
Splunk Employee
Splunk Employee

Have you config the server.conf?

http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Securingyourdeploymentserverandclients

Take note:

Important: This requireClientCert is set to "false" by default. If you change it to true to force Splunk to check your client's certificates, Splunk Web and the CLI will also be checked for certificates. Your CLI connection will no longer work because your CLI is unable to present a certificate as a client

0 Karma

vegitron
Engager

That page doesn't describe ldap authentication.

I ended up using scripted authentication: http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Createtheauthenticationscript

With scripted authentication I was able to use a library that does LDAP TLS properly.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...