Security

Splunk LDAP authentication with Active Directory

Communicator

I'm unable to authenticate Splunk LDAP with the Active directory. I'm able to save my LDAP configuration and pull the users for a group. I have matched the role with the user group, but I'm unable to login to splunk using my AD credentials.

My authentication file.

[cacheTiming]
userLoginTTL = 1
getUserInfoTTL = 1
getUsersTTL = 1

[authentication]
authSettings = Active_directory
authType = LDAP

[roleMap_Active_directory]
admin = Splunk_Admins_Test

[Active_directory]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = splunkserviceaccount

bindDNpassword = password
charset = utf8
groupBaseDN = CN=Users,DC=Mydomain, DC=com
groupBaseFilter = (&(objectCategory=group)(name=Splunk_Admins_Test))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = hostid
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=Mydomain, DC=com
userBaseFilter = (&(objectCategory=person)(objectClass=user))
userNameAttribute = samaccountname

When I ran this command my results are empty.
ldapsearch -x –h –p –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

ldapsearch -x –h –p –D "bind_dn" -w "bind_passwd" –b "group_basedn" "groupNameAttribute=*"

My log files indicate that it is unable to find the user

01-14-2013 15:46:38.726 -0600 ERROR AuthenticationManagerLDAP - Could not find user="ssanke" with strategy="Active_directory"
01-14-2013 15:46:38.727 -0600 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="ssanke" on any configured servers

Can any one point me where the error might be ?

New Member

Gravedigging, I know. I ran into this and had a heck of a time figuring it out. We could map groups and users, and have nested security groups all over the place, BUT some users could not log in, even though we could see them in the Splunk UI as a member of the group(s) we were adding. Turns out that the users that could not log in, did not have an Active Directory DisplayName! The LDAP query would choke and die for those users, while users with DisplayNames would be able to log in. We changed the "realNameAttribute" to "samaccountname" and the users were immediately able to log in. The only side effect is that their login name is shown at the top of the UI rather than their full name, but with thousands of possible users, and the potential of this cropping up in the future, we're keeping the "samaccountname" and calling it a day.
Working config, non-SSL:

authentication.conf:
[roleMap_MGMT-SE]
admin = SE-GROUP

[authentication]
authSettings = MGMT-SE,MGMT-USERS
authType = LDAP

[roleMap_MGMT-USERS]
splunktier1 = SplunkTier1
splunktier2 = SplunkTier2
splunktier3 = SplunkTier3

[MGMT-SE]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=_splunksvc,OU=Service_Accounts,DC=mgmt,DC=com
bindDNpassword = (removed)
charset = utf8
emailAttribute = mail
groupBaseDN = CN=SE-GROUP,OU=Teams,OU=Security_Groups,DC=mgmt,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.server.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = samaccountname
sizelimit = 4000
timelimit = 15
userBaseDN = DC=mgmt,DC=com
userNameAttribute = samaccountname

[MGMT-USERS]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=_splunksvc,OU=Service_Accounts,DC=mgmt,DC=com
bindDNpassword = (removed)
charset = utf8
emailAttribute = mail
groupBaseDN = OU=User_Groups,OU=Security_Groups,DC=mgmt,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.server.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = samaccountname
sizelimit = 4000
timelimit = 15
userBaseDN = DC=mgmt,DC=com
userNameAttribute = samaccountname

0 Karma

Path Finder

This works without SSL as well.

Here's my working config, it be of might help..

bindDN = CN=ldapquery,OU=Services,DC=test,DC=com
bindDNpassword = aPassword
charset = utf8
groupBaseDN = CN=Splunk_Admins,OU=Groups,DC=test,DC=com;CN=Splunk_Power_Users,OU=Groups,DC=test,DC=com;CN=Splunk_Users,OU=Groups,DC=test,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = testDC.test.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=MyUsers,DC=test,DC=com
userNameAttribute = samaccountname

Communicator

thanks for reply! This config is not working

SplunkTrust
SplunkTrust

I believe when trying to authenticate to AD, SSL is required. Try modifying these settings.

SSLEnabled = 1
port = 636

You can also try using ldapsearch: ldapsearch -x -H ldaps://ldap_host -D "bind_dn" -W -b "user_basedn" "(samaccountname=*)" "cn"

Communicator

The error while using SSL

Encountered the following error while trying to update: In handler 'LDAP-auth': strategy="Active_directory" Error binding to LDAP. reason="Can't contact LDAP server"

I tried by removing all the filters but still I'm unable to login. I even tried by using the (&(objectCategory=group)(!(grouptype=2)) filter.

SplunkTrust
SplunkTrust

After your previous update with errors, I think you need to remove the "userBaseFilter". Also for the groups, you will need to remove the "groupBaseFilter". When brought together, your user filter is "(&(samaccountname=%USER%)(objectCategory=person)(objectCategory=user))" and your group filter is "(&(cn=*)(objectCategory=group)(name=Splunk_Admins_Test))". Since it looks like your CN=Users contains BOTH groups and users, you will want to make your groupBaseFilter= "(&(objectCategory=group)(!(grouptype=2)))"

SplunkTrust
SplunkTrust

What error were you given?

Communicator

When I tried to change it to SSL from the web interface it is giving me an error while saving.

Communicator

I don't have an account with the same name

Influencer

Make sure you don't have an account in splunk with the same username - it'll use the splunk account with the same name before the LDAP account.