Security

Specifying multiple LDAP static group filters

aaronkorn
Splunk Employee
Splunk Employee

Is there a way to specify multiple group search filters for multiple groups? Currently we have this (sAMAccountName = ISD TSS Management) but is there a way to specify additional groups in this filter?

Tags (2)

3johnson
Engager

(CN=Splunk*)
This syntax worked fine for us to only display groups for mapping that begin with "Splunk"; but, the BIG difference is the groups have to be populated with users or Splunk produces a cryptic error stating that it can't find any groups with the search criteria. The better error would be that I can't find any groups WITH USERS IN IT with the search criteria. Limiting the DN of the group produces the same error if the group is empty.

It seems like a Splunk proces logic flaw. On every system for 25years the process is: Create Groups > Map Roles > Populate groups with users and test.
,(CN=Splunk*)
This syntax worked fine for us to only display groups for mapping that begin with "Splunk"; but, the BIG difference is the groups have to be populated with users or Splunk produces a cryptic error stating that it can't find any groups with the search criteria. The better error would be that I can't find any groups WITH USERS IN IT with the search criteria. Limiting the DN of the group produces the same error if the group is empty.

It seems like a Splunk proces logic flaw. On every system for 25years the process is: Create Groups > Map Roles > Populate groups with users and test.

dfronck
Communicator

LDAP "Group base DN"

OU=Corporate,OU=Groups,DC=OUR,DC=COMPANY,DC=COM

"Static group search filter"

(|(CN=Splunk*)(CN=UNIX*)(CN=WINTEL*))

This pulls all the groups starting with Splunk, UNIX and WINTEL.

You could also do something with wildcards.

(|(CN=Splunk*)(CN=*UNIX*)(CN=*WINTEL*))

This pulls all the groups starting with Splunk, and contains UNIX or WINTEL.

yungm
Engager

We specify multiple AD groups in "Group base DN" field under "Group settings" as 'cn=admingrp,ou=...;cn=usergrp,ou=...'. We do not use "Static group search filter.

The groups are then mapped to each local Splunk role for access control.

The "User base filter" is defined as follow:

(&(objectCategory=Person)(sAMAccountName=*))

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...