Security

LDAP issue: Why does search request time limit not agree with Splunk Web Session timeout as stated in LDAP config instructions?

ksoucy
Path Finder

Attempting to configure LDAP auth for access to our Splunk search head, but attempts to save the configuration always results in "Time limit exceeded" error in splunkd.log.

03-16-2017 16:01:01.412 -0400 DEBUG ScopedLDAPConnection - strategy="Test_strategy" Search duration="29.14 seconds"
03-16-2017 16:01:01.412 -0400 WARN  ScopedLDAPConnection - strategy="Test_strategy" LDAP Server returned warning in search for DN="dc=xxxxx,dc=ad,dc=yyycorp,dc=com". reason="Time limit exceeded"

Per the "Configure LDAP with Splunk Web" page ( https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/ConfigureLDAPwithSplunkWeb) you should configure the "search request timeout limit" in conjunction with the splunkweb timeout property, described in the "Configure user session timeouts" page, which sends you to Settings>Server Settings > General settings where the "Session timeout" parameter (the only timeout parm available in General settings) is set to "1h", which is the default value.

However, the "Search request time limit" field in the Advanced Settings section of the LDAP configuration states that the value has to be less that the UI timeout, which is 30s. Entering a number larger than 30 in the field results in an "Invalid timelimit" error when trying to save the configuration.

So.... a) The documentation is not correct, b) the Session timeout really isn't the same as the the UI timeout, in which case see "a)", or c) I'm missing something very obvious.

FYI - It does in fact take longer than 30 secs to query our AD env with search parms that are either recommended by Splunk or I've found used by others in googling the issue. Here's the query:
Attempting to search subtree at DN="dc=xxxx,dc=ad,dc=yyycorp,dc=com" using filter="(&(objectclass=user)(cn=*)(displayname=*))

Appreciate any insight or help.

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

I was able to recreate this scenario and have submitted a jira to have the WebUI limitation tuned.

Until then, you can use the timelimit value under the LDAP stanza in authentication.conf to set it.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Authenticationconf#LDAP_settings.

ksoucy
Path Finder

Also, why does Splunk need to do such a large query when we are merely configuring connection to Active Directory?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...