Attempting to configure LDAP auth for access to our Splunk search head, but attempts to save the configuration always results in "Time limit exceeded" error in splunkd.log.
03-16-2017 16:01:01.412 -0400 DEBUG ScopedLDAPConnection - strategy="Test_strategy" Search duration="29.14 seconds" 03-16-2017 16:01:01.412 -0400 WARN ScopedLDAPConnection - strategy="Test_strategy" LDAP Server returned warning in search for DN="dc=xxxxx,dc=ad,dc=yyycorp,dc=com". reason="Time limit exceeded"
Per the "Configure LDAP with Splunk Web" page ( https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/ConfigureLDAPwithSplunkWeb) you should configure the "search request timeout limit" in conjunction with the
splunkweb timeout property, described in the "Configure user session timeouts" page, which sends you to Settings>Server Settings > General settings where the "Session timeout" parameter (the only timeout parm available in General settings) is set to "1h", which is the default value.
However, the "Search request time limit" field in the Advanced Settings section of the LDAP configuration states that the value has to be less that the UI timeout, which is 30s. Entering a number larger than 30 in the field results in an "Invalid timelimit" error when trying to save the configuration.
So.... a) The documentation is not correct, b) the Session timeout really isn't the same as the the UI timeout, in which case see "a)", or c) I'm missing something very obvious.
FYI - It does in fact take longer than 30 secs to query our AD env with search parms that are either recommended by Splunk or I've found used by others in googling the issue. Here's the query:
Attempting to search subtree at
DN="dc=xxxx,dc=ad,dc=yyycorp,dc=com" using filter="(&(objectclass=user)(cn=*)(displayname=*))
Appreciate any insight or help.
I was able to recreate this scenario and have submitted a jira to have the WebUI limitation tuned.
Until then, you can use the timelimit value under the LDAP stanza in authentication.conf to set it.