Can any one expain or point me to the docs of how the LDAP User and Group Filters work ? I have gone through the docs http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureLDAPwithSplunkWeb but I'm still unable to understand it clearly.
Without a filter, the query sent by splunk to LDAP will say 'give me a list of all users'.
This could be hundreds of thousands of accounts.
If you specify a filter i.e. 'Department=Splunk'
Then the query sent by splunk to LDAP will say 'give me a list of users who belong to the Splunk department'.
The list of users returned will be much smaller.
Same theory for group filters.
No. One is a query to get a list of all the users, the other is a query to get a list of all the groups.
The groups that a user belongs to is pulled from the user attribute 'memberOf' (or whatever the group membership attribute is in your flavour of LDAP)