Security

LDAP tuning 4.2

Communicator

I have set up LDAP access to the GC (3268) and it works great. However, i am now noticing that there is a lot of traffic generated across the firewall that separates them.
in the last 60 minutes 54,000 connections were created. This will not make the AD team very happy.

Firstly what is splunk doing every minute to reach out and generate about 1000 connections ( this sounds like the default page size for an ldap connection)?

Second how do I force splunk to reach out less frequently? The LDAP groups are not changing that rapidly, once an hour or two is sufficient for me.

Can the scripted auth parameters for caching and timeout be used for LDAP connections?

Tags (3)
1 Solution

Communicator

Solved it, wasnt what I expected.

We are using LDAP auth for user access to splunk. It turns out that splunk attempts to verify in LDAP all the owners of searches and objects listed in local.meta

I had done some development on objects with a local account that didnt exist on this server and that was what splunk was attempting to lookup in AD. This is the same behaviour that I saw when i used the Bind app and we were noticing lookups for nfoggi (the creator of the searches in that app).

So i guess a word of warning, if you save objects as owned by a local user that does not exist on the splunk server that authentication is done on, you will have a number of queries generated to your AD/LDAP server attempting to lookup those ID's.

A tcpdump with this string will tell you what you are looking up in AD/LDAP to validate the problem.
a.b.c.d is th eldap server or you can use port 3268 (for global catalog) or port 386 (for LDAP).
tcpdump -np -s 1500 -w outfile.libpcap -i em3 host a.b.c.d

hope this helps someone (and maybe gets the default ownership of objects changed in splunkbase for those that use AD/LDAP auth).

View solution in original post

Communicator

Solved it, wasnt what I expected.

We are using LDAP auth for user access to splunk. It turns out that splunk attempts to verify in LDAP all the owners of searches and objects listed in local.meta

I had done some development on objects with a local account that didnt exist on this server and that was what splunk was attempting to lookup in AD. This is the same behaviour that I saw when i used the Bind app and we were noticing lookups for nfoggi (the creator of the searches in that app).

So i guess a word of warning, if you save objects as owned by a local user that does not exist on the splunk server that authentication is done on, you will have a number of queries generated to your AD/LDAP server attempting to lookup those ID's.

A tcpdump with this string will tell you what you are looking up in AD/LDAP to validate the problem.
a.b.c.d is th eldap server or you can use port 3268 (for global catalog) or port 386 (for LDAP).
tcpdump -np -s 1500 -w outfile.libpcap -i em3 host a.b.c.d

hope this helps someone (and maybe gets the default ownership of objects changed in splunkbase for those that use AD/LDAP auth).

View solution in original post

Splunk Employee
Splunk Employee

This is interesting.

0 Karma