Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

LDAP issue: Why does search request time limit not agree with Splunk Web Session timeout as stated in LDAP config instructions?

ksoucy
Path Finder
‎03-16-2017 02:25 PM

Attempting to configure LDAP auth for access to our Splunk search head, but attempts to save the configuration always results in "Time limit exceeded" error in splunkd.log. 

03-16-2017 16:01:01.412 -0400 DEBUG ScopedLDAPConnection - strategy="Test_strategy" Search duration="29.14 seconds"
03-16-2017 16:01:01.412 -0400 WARN  ScopedLDAPConnection - strategy="Test_strategy" LDAP Server returned warning in search for DN="dc=xxxxx,dc=ad,dc=yyycorp,dc=com". reason="Time limit exceeded"

Per the "Configure LDAP with Splunk Web" page ( https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/ConfigureLDAPwithSplunkWeb) you should configure the "search request timeout limit" in conjunction with the splunkweb timeout property, described in the "Configure user session timeouts" page, which sends you to Settings>Server Settings > General settings where the "Session timeout" parameter (the only timeout parm available in General settings) is set to "1h", which is the default value.

However, the "Search request time limit" field in the Advanced Settings section of the LDAP configuration states that the value has to be less that the UI timeout, which is 30s. Entering a number larger than 30 in the field results in an "Invalid timelimit" error when trying to save the configuration.

So.... a) The documentation is not correct, b) the Session timeout really isn't the same as the the UI timeout, in which case see "a)", or c) I'm missing something very obvious.

FYI - It does in fact take longer than 30 secs to query our AD env with search parms that are either recommended by Splunk or I've found used by others in googling the issue. Here's the query:
Attempting to search subtree at DN="dc=xxxx,dc=ad,dc=yyycorp,dc=com" using filter="(&(objectclass=user)(cn=*)(displayname=*))

Appreciate any insight or help.

0 Karma
Reply

brreeves_splunk
Splunk Employee
Splunk Employee
‎03-23-2017 07:19 AM

I was able to recreate this scenario and have submitted a jira to have the WebUI limitation tuned.

Until then, you can use the timelimit value under the LDAP stanza in authentication.conf to set it.
http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Authenticationconf#LDAP_settings.

Reply

ksoucy
Path Finder
‎03-20-2017 10:42 AM

Also, why does Splunk need to do such a large query when we are merely configuring connection to Active Directory?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...