Security
Highlighted

Most LDAP users don't appear/aren't usable

Explorer

I have setup the LDAP structure and don't see all of my users in the Group mapping.

Under Manager>>Access controls>>Authentication method>>LDAP strategies>>LDAP Groups, I have setup the specific group to map to Admin, in the text box below it shows all 50~ of my users.

If I save that screen and go to Manager>>Access controls>>Users only 14 users show up. I have deleted the mapping and started over, I have tried mapping to a different global catalog, nothing helps.

What am I missing here?

Splunk 5.0 build 140868 on 2008 R2 SP1
DC = 2008 R2 Ent

Thanks

Tags (3)
0 Karma
Highlighted

Re: Most LDAP users don't appear/aren't usable

SplunkTrust
SplunkTrust

In order for the user to show up in the user list, I believe they must first login. Once they login, then their user account gets created within Splunk, and will show in the GUI.

Highlighted

Re: Most LDAP users don't appear/aren't usable

Explorer

I wish that were the case... I had already tried to log in with my account and that didn't work. I get the error "Invalid username or password". If I log in with one of the 14 accounts listed, it works.

I also "Copy" one of the users in ADUC that is listed in Splunk. The new user did not show up, so I don't think there is anything special about the AD users.

0 Karma
Highlighted

Re: Most LDAP users don't appear/aren't usable

SplunkTrust
SplunkTrust

Do you have a User Base Filter configured? That will limit who can login as well as with a Group.

0 Karma
Highlighted

Re: Most LDAP users don't appear/aren't usable

Champion

Do you have any local users with the same username as yours? These will override your AD user of the same name. Also, you might find it worth turning up the logging levels of the ldap logger in System settings

0 Karma
Highlighted

Re: Most LDAP users don't appear/aren't usable

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: Most LDAP users don't appear/aren't usable

Explorer

Solved it!

I was mistaken about your first answer. You are partially correct. I was able to log in with another account that was not listed. Once I logged in with that account, it showed up in the Users list.

The problem that I was having was that I had not filled out the "Display name" field in ADUC. That prevented my account from logging in. Once I completed the Display name field, my account was able to login.

0 Karma