Security

LDAP issue: Why does search request time limit not agree with Splunk Web Session timeout as stated in LDAP config instructions?

ksoucy
Path Finder

Attempting to configure LDAP auth for access to our Splunk search head, but attempts to save the configuration always results in "Time limit exceeded" error in splunkd.log.

03-16-2017 16:01:01.412 -0400 DEBUG ScopedLDAPConnection - strategy="Test_strategy" Search duration="29.14 seconds"
03-16-2017 16:01:01.412 -0400 WARN  ScopedLDAPConnection - strategy="Test_strategy" LDAP Server returned warning in search for DN="dc=xxxxx,dc=ad,dc=yyycorp,dc=com". reason="Time limit exceeded"

Per the "Configure LDAP with Splunk Web" page ( https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/ConfigureLDAPwithSplunkWeb) you should configure the "search request timeout limit" in conjunction with the splunkweb timeout property, described in the "Configure user session timeouts" page, which sends you to Settings>Server Settings > General settings where the "Session timeout" parameter (the only timeout parm available in General settings) is set to "1h", which is the default value.

However, the "Search request time limit" field in the Advanced Settings section of the LDAP configuration states that the value has to be less that the UI timeout, which is 30s. Entering a number larger than 30 in the field results in an "Invalid timelimit" error when trying to save the configuration.

So.... a) The documentation is not correct, b) the Session timeout really isn't the same as the the UI timeout, in which case see "a)", or c) I'm missing something very obvious.

FYI - It does in fact take longer than 30 secs to query our AD env with search parms that are either recommended by Splunk or I've found used by others in googling the issue. Here's the query:
Attempting to search subtree at DN="dc=xxxx,dc=ad,dc=yyycorp,dc=com" using filter="(&(objectclass=user)(cn=*)(displayname=*))

Appreciate any insight or help.

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

I was able to recreate this scenario and have submitted a jira to have the WebUI limitation tuned.

Until then, you can use the timelimit value under the LDAP stanza in authentication.conf to set it.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Authenticationconf#LDAP_settings.

ksoucy
Path Finder

Also, why does Splunk need to do such a large query when we are merely configuring connection to Active Directory?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...