Security

LDAP authentication with client certificates - SASL and TLS

vegitron
Engager

I'm trying to connect Splunk to and LDAP server that requires authentication with client x509 certificates.

Based on http://docs.splunk.com/Documentation/Splunk/latest/Security/TestyourLDAPconfiguration, I've been working with ldapsearch, a .ldaprc file, and trying to move the settings into splunk's authentication.conf and etc/openldap/ldap.conf.

This is the content of my ldap.conf file:

ssl start_tls
TLS_REQCERT demand
TLS_CERT [cert_path]/app.cert
TLS_KEY [cert_path]/app.key
TLS_CACERT [cert_pat]/ca.cert
TLS_CACERTDIR [cert_path]
SASL_MECH EXTERNAL

I have my system logging set to debug for AuthenticationManagerLDAP and ScopedLDAPConnection, and this is what I get:

02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Initializing with LDAPURL="ldap://[ldap_host]:389"
02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting anonymous bind
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Bind successful
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to read entry at DN="[dn]"
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to search subtree at DN="[dn]" using filter=""
02-21-2013 15:05:51.989 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Search duration="13.68 milliseconds"
02-21-2013 15:05:51.989 -0800 ERROR ScopedLDAPConnection - strategy="LDAP" Could not read invalid entry at DN="[dn]"
02-21-2013 15:05:51.989 -0800 ERROR AdminHandler:AuthenticationHandler - Could not find userBaseDN on the LDAP server: [dn]

From that, it looks like the client cert configuration, and the SASL EXTERNAL mechanism are being ignored. This configuration has worked with ldapsearch, and the perl libraries Net::LDAP and Authen::SASL.

Is it possible to use client certificates in this way with Splunk, and if so, what configuration am I missing?

thanks,
Patrick

Tags (3)

psow_splunk
Splunk Employee
Splunk Employee

Have you config the server.conf?

http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Securingyourdeploymentserverandclients

Take note:

Important: This requireClientCert is set to "false" by default. If you change it to true to force Splunk to check your client's certificates, Splunk Web and the CLI will also be checked for certificates. Your CLI connection will no longer work because your CLI is unable to present a certificate as a client

0 Karma

vegitron
Engager

That page doesn't describe ldap authentication.

I ended up using scripted authentication: http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Createtheauthenticationscript

With scripted authentication I was able to use a library that does LDAP TLS properly.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...