Some LDAP users are not showing up in Splunk Users screen -- Splunk 4.3.1 build 119532.


I happened to take a look at Manager >> Access Controls >> Users the other day and quite a few users I knew should be there were not. We are using LDAP authentication. I vaguely remembered something about LDAP in the 4.3 notes and went and looked. After mentioning that they fixed a bug concerning Splunk LDAP for this release it says:

If you are using LDAP version 2,
Splunk will populate the LDAP user
list with only those users who have
already successfully logged in to
Splunk, as opposed to the full list of
users who have login access.

We are, in fact, using LDAP 2 (the actual version is 2.4.23)

So I thought, "maybe that's it". I asked someone who is configured to use Splunk via LDAP that was not on the list in Splunk and asked him to log in to Splunkweb. After he did this I went back to the Users list and, no, he still wasn't there. So I don't think it is this that we are seeing here.

My questions:

  1. Has anyone else seen this?
  2. Has anyone any idea about anything we could be doing that would cause this?
  3. Does this sound like a Splunk bug?
Tags (3)
0 Karma


What are your LDAP settings? Mainly, what is your "User base DN" and "Group base DN"? I tend to create a specific Security Group for Splunk. I have for example Splunk - Admins, Splunk - Developers - Location 1, Splunk - Developers - Location 2, Splunk - Service Desk, etc. With that, make sure that a group the user is in is mapped to a specific role. Is the group showing up in the "Manager » Access controls » Authentication method » Configure Splunk to use LDAP and map groups » Map groups"?

0 Karma


Can you be more specific about what you are looking for in the GUI? There is no area of the page labled 'groups'. I will say that every field is filled in except the two Dynamic group settings (member attribute and group search filter).

We are using a rolemap defined in authentication.conf that has a 10 roles, and what users associated with these roles can do is defined in authorize.conf.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!