Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk 4.2 Ldap

mhasling
Engager
‎04-01-2011 03:06 PM

I am trying to set up splunk to authenticate against ldap and got the configuration set up in splunk 4.1.7. It worked fine I was able to log in with my ldap user name. I then installed splunk 4.2 and went through the same process that worked before and when saving my ldap configuration the UI hung. Looking in the logs I saw ScopedLDAPConnection LDAP server returned message: Size limit exceeded. I know that there are more than 1000 users in my defined DN user space and I can not change the layout of ldap. Just to test I went back uninstalled splunk reinstalled 4.1.7 and got the configuration to work.

Any idea why this would work in splunk 4.1.7 and not 4.2? Suggestions?

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Marklar
Splunk Employee
Splunk Employee
‎04-01-2011 07:13 PM

So this was just an issue with saving the strategy? The same configuration should absolutely work in 4.2 - all your users should be able to log in the same way. If need be, simply copy the authentication.conf from your 4.1.7 instance into your 4.2. This config file is under $SPLUNK_HOME/etc/system/local

Our LDAP integration is largely unchanged in 4.2, with the exception of that strategy page. We now perform some extra validation that the configuration you entered will work. This verification involves contacting the LDAP server a few times and performing some basic searches, so any latency in contacting that server would be reflected in the UI when you hit save.

Here is what we now verify for you when you save a strategy (in order):

  • You can contact the LDAP server and bind given the credentials specified.

  • All user base DNs specified exist on the server

  • We can retrieve at least 1 user given the specified username, realname, and groupMapping attributes

  • All group base DNs specified exist on the server

  • We can retrieve at least 1 group given the specified groupName and groupMember attributes

Note that the third and fifth checks involve performing a search, which would be subject to size limits. However, we only ask for one entry. So the 'size limit exceeded' is a red herring here; it's just the LDAP server telling Splunk that the search would hit the size limit, even though we only asked for 1 entry. For further information, set ScopedLDAPConnection to debug, which should make it clear exactly what searches we're performing and what's causing the issue. Do this from Manager > System Settings > System Logging

View solution in original post

Reply
Solved! Jump to solution

BP9906
Builder
‎07-25-2011 05:18 PM

The above answer is helpful for turning on logging, but even after turning on logging and scoping the user based DN down to a group with only 2 users, I still get

07-25-2011 17:14:13.224 -0700 WARN ScopedLDAPConnection - Search for DN 'OU=group,OU=Users,OU=location,...': LDAP server returned message: Size limit exceeded

0 Karma
Reply
Solved! Jump to solution
Solution

Marklar
Splunk Employee
Splunk Employee
‎04-01-2011 07:13 PM

So this was just an issue with saving the strategy? The same configuration should absolutely work in 4.2 - all your users should be able to log in the same way. If need be, simply copy the authentication.conf from your 4.1.7 instance into your 4.2. This config file is under $SPLUNK_HOME/etc/system/local

Our LDAP integration is largely unchanged in 4.2, with the exception of that strategy page. We now perform some extra validation that the configuration you entered will work. This verification involves contacting the LDAP server a few times and performing some basic searches, so any latency in contacting that server would be reflected in the UI when you hit save.

Here is what we now verify for you when you save a strategy (in order):

  • You can contact the LDAP server and bind given the credentials specified.

  • All user base DNs specified exist on the server

  • We can retrieve at least 1 user given the specified username, realname, and groupMapping attributes

  • All group base DNs specified exist on the server

  • We can retrieve at least 1 group given the specified groupName and groupMember attributes

Note that the third and fifth checks involve performing a search, which would be subject to size limits. However, we only ask for one entry. So the 'size limit exceeded' is a red herring here; it's just the LDAP server telling Splunk that the search would hit the size limit, even though we only asked for 1 entry. For further information, set ScopedLDAPConnection to debug, which should make it clear exactly what searches we're performing and what's causing the issue. Do this from Manager > System Settings > System Logging

Reply
Solved! Jump to solution

mhasling
Engager
‎04-01-2011 09:26 PM

Thanks when I copied the authentication.conf file over and restarted it worked. Just had to change the password back to clear text in the configuration file.

I guess it didn't like the extra validation being done with a large set of users.

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...