Solved: Splunk LDAP authentication Issue - need to click o...

soumyasaha25 · ‎01-16-2020

i have configred my splunk deployment (hosted on AWS instances) to use LDAP authentication over ssl, but whenever i try to login using my ldap credentials, i have to click on the login buttom multiple times to successfully login, when i use my local authentication credentials it works fine. Below is a snippet of my authentication.conf configs (with sensitive info masked)

[My_splunk_strategy_name]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=<service account>,OU=<OU Name 1>,OU=<OU Name 2>,OU=<OU Name 3>,DC=<DC Name 1>,DC=<DC Name 2>
bindDNpassword = my_password
charset = utf8
emailAttribute = mail
groupBaseDN = OU=<OU Name 1>,OU=<OU Name 2>,OU=<OU Name 3>,OU=<OU Name 4>,DC=<DC Name 1>,DC=<DC Name 2>;OU=<Another_OU Name 1>,OU=<Another_OU Name 2>,OU=<Another_OU Name 3>,OU=<Another_OU Name 4>,DC=<DC Name 1>,DC=<DC Name 2>
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap_hostname
nestedGroups = 0
network_timeout = 29
port = 636
realNameAttribute = cn
sizelimit = 2000
timelimit = 28
userBaseDN = DC=<DC Name 1>,DC=<DC Name 2>
userNameAttribute = samaccountname
pagelimit = -1

i have another splunk instance which is using similar configs and authentication works perfectly there (no need to click multiple times). The differances there are
1. there we use ldap and not ldaps
2. there the groupBaseDN has lesser number of OUs

So i tried on my current setup with LDAP (port 389 instead of 636 and SSLEnabled = 0 ) but still faced the same issue.

Am i missing anything here? any suggestions on how to resolve this issue.
Note: The security groups and NACLs rules are not an issue as i have already verified with AWS support on that.

soumyasaha25 · ‎01-17-2020

this got resolved, looks like the config file was missing some attributes in userBaseDN. after adding them, it works.

View solution in original post

soumyasaha25 · ‎01-17-2020

this got resolved, looks like the config file was missing some attributes in userBaseDN. after adding them, it works.

jkat54 · ‎01-16-2020

You're not being patient enough for the auth to take place.

Test it. Put in your ldap credentials and only press the button once... wait...

If you open your browsers developer tools and look at the network tab, you will see your browser is pending a response from your submission.

Clicking multiple times has 0 affect. It's time that's if the essence. Check your bandwidth to your ldap controllers, their performance, etc.

This happens often when you have very large ldap scopes defined. So you can also help speed this up by adding group filters etc to your ldap connection settings.

soumyasaha25 · ‎01-17-2020

Yes, my bad i forgot to mention it in the post. i did check the developer tools, network tab. If i click once and wait (patiently), it eventually throws an "Invalid username or password" error although i did key in the correct username and password, and eventually after multiple clicks i am able to login.
I also had done a test where i had clicked on login once, noted down the time and waited for it to fail/login.
example like this below
Trial 1
Time Status
13:40 Fail
13:43 Fail
13:50 Fail
13:53 Success

Also, i did notice that my groupBaseDN does not have a CN and have multiple OUs (when compared to another working splunk cluster which has lesser OUs and a CN defined in groupBaseDN), do you think that might be the issue?

jkat54 · ‎01-17-2020

Yes, that's what I mean by adding filters to your ldap settings.

In large AD environments it's almost required to add a group base etc.

Splunk LDAP authentication Issue - need to click on login multiple times

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life