Security

LDAP authentication with client certificates - SASL and TLS

Engager

I'm trying to connect Splunk to and LDAP server that requires authentication with client x509 certificates.

Based on http://docs.splunk.com/Documentation/Splunk/latest/Security/TestyourLDAPconfiguration, I've been working with ldapsearch, a .ldaprc file, and trying to move the settings into splunk's authentication.conf and etc/openldap/ldap.conf.

This is the content of my ldap.conf file:

ssl start_tls
TLS_REQCERT demand
TLS_CERT [cert_path]/app.cert
TLS_KEY [cert_path]/app.key
TLS_CACERT [cert_pat]/ca.cert
TLS_CACERTDIR [cert_path]
SASL_MECH EXTERNAL

I have my system logging set to debug for AuthenticationManagerLDAP and ScopedLDAPConnection, and this is what I get:

02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Initializing with LDAPURL="ldap://[ldap_host]:389"
02-21-2013 15:05:51.876 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting anonymous bind
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Bind successful
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to read entry at DN="[dn]"
02-21-2013 15:05:51.975 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Attempting to search subtree at DN="[dn]" using filter=""
02-21-2013 15:05:51.989 -0800 DEBUG ScopedLDAPConnection - strategy="LDAP" Search duration="13.68 milliseconds"
02-21-2013 15:05:51.989 -0800 ERROR ScopedLDAPConnection - strategy="LDAP" Could not read invalid entry at DN="[dn]"
02-21-2013 15:05:51.989 -0800 ERROR AdminHandler:AuthenticationHandler - Could not find userBaseDN on the LDAP server: [dn]

From that, it looks like the client cert configuration, and the SASL EXTERNAL mechanism are being ignored. This configuration has worked with ldapsearch, and the perl libraries Net::LDAP and Authen::SASL.

Is it possible to use client certificates in this way with Splunk, and if so, what configuration am I missing?

thanks,
Patrick

Tags (3)

Splunk Employee
Splunk Employee

Have you config the server.conf?

http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Securingyourdeploymentserverandclients

Take note:

Important: This requireClientCert is set to "false" by default. If you change it to true to force Splunk to check your client's certificates, Splunk Web and the CLI will also be checked for certificates. Your CLI connection will no longer work because your CLI is unable to present a certificate as a client

0 Karma

Engager

That page doesn't describe ldap authentication.

I ended up using scripted authentication: http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Createtheauthenticationscript

With scripted authentication I was able to use a library that does LDAP TLS properly.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!