Security

LDAP user's name changed - Splunk thinks this is a completely new user

skladstrup
New Member

We're just starting out with Splunk, and maybe this is a setting on LDAP's side of things (please correct me if that's the case), but my name changed in LDAP recently. When I logged in today, there's an orphaned alert. Splunk thinks my new name is a completely different user instead of just adopting my old alerts, and reports.
This seems like a bug to me. While name changes are not frequent, they should be routine. Women and men change their names when they marry, when they divorce, and other less common reasons. Where do I post this to get it fixed?

Tags (1)
0 Karma
1 Solution

elliotproebstel
Champion

Based on the docs about using LDAP with Splunk, it looks like the value interpreted by Splunk as the user name (the unique value Splunk keys on to identify you as a user) was set during your configuration stage and is likely the sAMAccountName. Here's a quote from the docs:

14. Enter the User name attribute that contains the user name.
The username attribute cannot contain white spaces.
In Active Directory, this is typically sAMAccountName, but you can also authenticate on other attributes, like cn.
The value uid should work for most other configurations.

So it seems that your Splunk instance is using a value from LDAP that was changed as a part of your LDAP name change. The solution, I'd think, would be to find a key in LDAP that is unlikely to change even with a name change. I don't know enough about LDAP to suggest such a value, but if you can find something that is unique to each user but unlikely to change with a name change, you could use that value in your Splunk setting and also leave a comment on the docs page suggesting that they consider recommending your alternate field as the recommended value. As you pointed out, lots of people change their names for lots of reasons, so you're surely not the only person impacted!

View solution in original post

0 Karma

elliotproebstel
Champion

Based on the docs about using LDAP with Splunk, it looks like the value interpreted by Splunk as the user name (the unique value Splunk keys on to identify you as a user) was set during your configuration stage and is likely the sAMAccountName. Here's a quote from the docs:

14. Enter the User name attribute that contains the user name.
The username attribute cannot contain white spaces.
In Active Directory, this is typically sAMAccountName, but you can also authenticate on other attributes, like cn.
The value uid should work for most other configurations.

So it seems that your Splunk instance is using a value from LDAP that was changed as a part of your LDAP name change. The solution, I'd think, would be to find a key in LDAP that is unlikely to change even with a name change. I don't know enough about LDAP to suggest such a value, but if you can find something that is unique to each user but unlikely to change with a name change, you could use that value in your Splunk setting and also leave a comment on the docs page suggesting that they consider recommending your alternate field as the recommended value. As you pointed out, lots of people change their names for lots of reasons, so you're surely not the only person impacted!

0 Karma

kn-nowit
Observer

Is it possible to set the "Real Name" as a combination of multiple ldap fields and a custom prefix?

I thought about something like
"(Admin) " + displayName

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...