I have successfully configured LDAP authentication, however while doing so I noticed that the "LDAP Groups" page wasn't displaying every group in the OU. I managed to get all of the groups that I needed at the time by filtering the groups more specifically with groupBaseFilter = (&(objectCategory=group)(name=IS Splunk*)).
Now I have added a new group to AD ("IS Splunk Users - Energy Tracking") and want to add it to Splunk, but Splunk does not list it. When I remove the "(name=IS Splunk*)" filter I get lots of groups, but none of the "IS Splunk" groups. When sorted by LDAP Group Name there is an "IS Server" and an "IS WTS" group, but nothing in between.
How do I get Splunk to "see" new groups? It has been three days since the group was created, so it has replicated to all DCs now. I am running 4.1.6 build 89596, and the current Authentication.conf contains:
[authentication]
authSettings = MyDomain.com
authType = LDAP
[MyDomain.com]
SSLEnabled = 0
bindDN = SplunkServiceAccount
bindDNpassword = password
charset = utf8
groupBaseDN = OU=Enterprise,DC=MyDomain,DC=com
groupBaseFilter = (&(objectCategory=group)(name=IS Splunk*))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = MyDC.MyDomain.com
port = 389
realNameAttribute = displayname
userBaseDN = DC=MyDomain,DC=com
userBaseFilter = (objectclass=user)
userNameAttribute = samaccountname
[roleMap]
admin = IS Splunk Administrators
can_delete = IS Splunk Administrators
firewall nerd = IS Splunk Administrators;IS Splunk Users - Firewalls
infrastructure nerd = IS Splunk Administrators;IS Splunk Users - Infrastructure
power = IS Splunk Administrators
unix nerd = IS Splunk Administrators;IS Splunk Users - Unix
user = IS Splunk Administrators
voice nerd = IS Splunk Administrators;IS Splunk Users - Mobiles
Groups will only show up in the interface if they also contain users who meet the user filters. Are the groups empty, or do they not contain users from the indicated domain and filter?
We were having a similar situation in our environment and the issue ended up being that the group in question lived in an Active Directory branch outside the defined groupBaseDN
value. Once we added that branch to the groupBaseDN
filter, access worked like a champ.
Original Value:
groupBaseDN = OU=Server_Groups,DC=Enterprise,DC=MyDomain,DC=com
Updated Value:
groupBaseDN = OU=Server_Groups,DC=Enterprise,DC=MyDomain,DC=com;OU=Access_Groups,DC=Enterprise,DC=MyDomain,DC=com
Groups will only show up in the interface if they also contain users who meet the user filters. Are the groups empty, or do they not contain users from the indicated domain and filter?
I'm on 5.x and this was true for me too. My AD guy says this is a feature of Windows AD. /Upvoted
I'm having the same problem... LDAP shows 197 groups but there are more... All groups have users and they match the existing filters... This happens in 4.3.2
Hmm. I'm seeing the same issue where only 27 out of 29 security groups are showing up. Restart didn't help, resetting up the ldap config didn't change anything. This is happening on both 4.2 and 4.3.1.
That's the trick - the group had no members yet. I hadn't expected that to break it. Thanks.
Restart Splunk, is maybe a cache issue!?