Solved: LDAP user's name changed - Splunk thinks this is a...

skladstrup · ‎04-27-2018

We're just starting out with Splunk, and maybe this is a setting on LDAP's side of things (please correct me if that's the case), but my name changed in LDAP recently. When I logged in today, there's an orphaned alert. Splunk thinks my new name is a completely different user instead of just adopting my old alerts, and reports.
This seems like a bug to me. While name changes are not frequent, they should be routine. Women and men change their names when they marry, when they divorce, and other less common reasons. Where do I post this to get it fixed?

elliotproebstel · ‎04-27-2018

Based on the docs about using LDAP with Splunk, it looks like the value interpreted by Splunk as the user name (the unique value Splunk keys on to identify you as a user) was set during your configuration stage and is likely the sAMAccountName. Here's a quote from the docs:

14. Enter the User name attribute that contains the user name.
The username attribute cannot contain white spaces.
In Active Directory, this is typically sAMAccountName, but you can also authenticate on other attributes, like cn.
The value uid should work for most other configurations.

So it seems that your Splunk instance is using a value from LDAP that was changed as a part of your LDAP name change. The solution, I'd think, would be to find a key in LDAP that is unlikely to change even with a name change. I don't know enough about LDAP to suggest such a value, but if you can find something that is unique to each user but unlikely to change with a name change, you could use that value in your Splunk setting and also leave a comment on the docs page suggesting that they consider recommending your alternate field as the recommended value. As you pointed out, lots of people change their names for lots of reasons, so you're surely not the only person impacted!

View solution in original post

elliotproebstel · ‎04-27-2018

Based on the docs about using LDAP with Splunk, it looks like the value interpreted by Splunk as the user name (the unique value Splunk keys on to identify you as a user) was set during your configuration stage and is likely the sAMAccountName. Here's a quote from the docs:

14. Enter the User name attribute that contains the user name.
The username attribute cannot contain white spaces.
In Active Directory, this is typically sAMAccountName, but you can also authenticate on other attributes, like cn.
The value uid should work for most other configurations.

So it seems that your Splunk instance is using a value from LDAP that was changed as a part of your LDAP name change. The solution, I'd think, would be to find a key in LDAP that is unlikely to change even with a name change. I don't know enough about LDAP to suggest such a value, but if you can find something that is unique to each user but unlikely to change with a name change, you could use that value in your Splunk setting and also leave a comment on the docs page suggesting that they consider recommending your alternate field as the recommended value. As you pointed out, lots of people change their names for lots of reasons, so you're surely not the only person impacted!

kn-nowit · ‎08-11-2023

Is it possible to set the "Real Name" as a combination of multiple ldap fields and a custom prefix?

I thought about something like
"(Admin) " + displayName

LDAP user's name changed - Splunk thinks this is a completely new user

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...