Security

LDAP on AD not returning all groups - even with filtering

FunPolice
Path Finder

I have successfully configured LDAP authentication, however while doing so I noticed that the "LDAP Groups" page wasn't displaying every group in the OU. I managed to get all of the groups that I needed at the time by filtering the groups more specifically with groupBaseFilter = (&(objectCategory=group)(name=IS Splunk*)).

Now I have added a new group to AD ("IS Splunk Users - Energy Tracking") and want to add it to Splunk, but Splunk does not list it. When I remove the "(name=IS Splunk*)" filter I get lots of groups, but none of the "IS Splunk" groups. When sorted by LDAP Group Name there is an "IS Server" and an "IS WTS" group, but nothing in between.

How do I get Splunk to "see" new groups? It has been three days since the group was created, so it has replicated to all DCs now. I am running 4.1.6 build 89596, and the current Authentication.conf contains:

[authentication]
authSettings = MyDomain.com
authType = LDAP

[MyDomain.com]
SSLEnabled = 0
bindDN = SplunkServiceAccount
bindDNpassword = password
charset = utf8
groupBaseDN = OU=Enterprise,DC=MyDomain,DC=com
groupBaseFilter = (&(objectCategory=group)(name=IS Splunk*))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = MyDC.MyDomain.com
port = 389
realNameAttribute = displayname
userBaseDN = DC=MyDomain,DC=com
userBaseFilter = (objectclass=user)
userNameAttribute = samaccountname

[roleMap]
admin = IS Splunk Administrators
can_delete = IS Splunk Administrators
firewall nerd = IS Splunk Administrators;IS Splunk Users - Firewalls
infrastructure nerd = IS Splunk Administrators;IS Splunk Users - Infrastructure
power = IS Splunk Administrators
unix nerd = IS Splunk Administrators;IS Splunk Users - Unix
user = IS Splunk Administrators
voice nerd = IS Splunk Administrators;IS Splunk Users - Mobiles
Tags (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Groups will only show up in the interface if they also contain users who meet the user filters. Are the groups empty, or do they not contain users from the indicated domain and filter?

View solution in original post

gurlest
Path Finder

We were having a similar situation in our environment and the issue ended up being that the group in question lived in an Active Directory branch outside the defined groupBaseDN value. Once we added that branch to the groupBaseDN filter, access worked like a champ.

Original Value:

groupBaseDN = OU=Server_Groups,DC=Enterprise,DC=MyDomain,DC=com

Updated Value:

groupBaseDN = OU=Server_Groups,DC=Enterprise,DC=MyDomain,DC=com;OU=Access_Groups,DC=Enterprise,DC=MyDomain,DC=com
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Groups will only show up in the interface if they also contain users who meet the user filters. Are the groups empty, or do they not contain users from the indicated domain and filter?

eegilbert
Explorer

I'm on 5.x and this was true for me too. My AD guy says this is a feature of Windows AD. /Upvoted

0 Karma

ruiaires
Path Finder

I'm having the same problem... LDAP shows 197 groups but there are more... All groups have users and they match the existing filters... This happens in 4.3.2

0 Karma

dagryph
Explorer

Hmm. I'm seeing the same issue where only 27 out of 29 security groups are showing up. Restart didn't help, resetting up the ldap config didn't change anything. This is happening on both 4.2 and 4.3.1.

0 Karma

FunPolice
Path Finder

That's the trick - the group had no members yet. I hadn't expected that to break it. Thanks.

0 Karma

LCM
Contributor

Restart Splunk, is maybe a cache issue!?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...