Security
Highlighted

Splunk LDAP authentication with Active Directory

Communicator

I'm unable to authenticate Splunk LDAP with the Active directory. I'm able to save my LDAP configuration and pull the users for a group. I have matched the role with the user group, but I'm unable to login to splunk using my AD credentials.

My authentication file.

[cacheTiming]
userLoginTTL = 1
getUserInfoTTL = 1
getUsersTTL = 1

[authentication]
authSettings = Active_directory
authType = LDAP

[roleMapActivedirectory]
admin = SplunkAdminsTest

[Activedirectory]
SSLEnabled = 0
anonymous
referrals = 0
bindDN = splunkserviceaccount

bindDNpassword = password
charset = utf8
groupBaseDN = CN=Users,DC=Mydomain, DC=com
groupBaseFilter = (&(objectCategory=group)(name=SplunkAdminsTest))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = hostid
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=Mydomain, DC=com
userBaseFilter = (&(objectCategory=person)(objectClass=user))
userNameAttribute = samaccountname

When I ran this command my results are empty.
ldapsearch -x –h –p –D "binddn" -w "bindpasswd" -b "user_basedn" "userNameAttribute=*"

ldapsearch -x –h –p –D "binddn" -w "bindpasswd" –b "group_basedn" "groupNameAttribute=*"

My log files indicate that it is unable to find the user

01-14-2013 15:46:38.726 -0600 ERROR AuthenticationManagerLDAP - Could not find user="ssanke" with strategy="Active_directory"
01-14-2013 15:46:38.727 -0600 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="ssanke" on any configured servers

Can any one point me where the error might be ?

Highlighted

Re: Splunk LDAP authentication with Active Directory

Influencer

Make sure you don't have an account in splunk with the same username - it'll use the splunk account with the same name before the LDAP account.

Highlighted

Re: Splunk LDAP authentication with Active Directory

Communicator

I don't have an account with the same name

Highlighted

Re: Splunk LDAP authentication with Active Directory

SplunkTrust
SplunkTrust

I believe when trying to authenticate to AD, SSL is required. Try modifying these settings.

SSLEnabled = 1
port = 636

You can also try using ldapsearch: ldapsearch -x -H ldaps://ldap_host -D "bind_dn" -W -b "user_basedn" "(samaccountname=*)" "cn"

Highlighted

Re: Splunk LDAP authentication with Active Directory

Communicator

When I tried to change it to SSL from the web interface it is giving me an error while saving.

Highlighted

Re: Splunk LDAP authentication with Active Directory

SplunkTrust
SplunkTrust

What error were you given?

Highlighted

Re: Splunk LDAP authentication with Active Directory

SplunkTrust
SplunkTrust

After your previous update with errors, I think you need to remove the "userBaseFilter". Also for the groups, you will need to remove the "groupBaseFilter". When brought together, your user filter is "(&(samaccountname=%USER%)(objectCategory=person)(objectCategory=user))" and your group filter is "(&(cn=*)(objectCategory=group)(name=Splunk_Admins_Test))". Since it looks like your CN=Users contains BOTH groups and users, you will want to make your groupBaseFilter= "(&(objectCategory=group)(!(grouptype=2)))"

Highlighted

Re: Splunk LDAP authentication with Active Directory

Communicator

The error while using SSL

Encountered the following error while trying to update: In handler 'LDAP-auth': strategy="Active_directory" Error binding to LDAP. reason="Can't contact LDAP server"

I tried by removing all the filters but still I'm unable to login. I even tried by using the (&(objectCategory=group)(!(grouptype=2)) filter.

Highlighted

Re: Splunk LDAP authentication with Active Directory

Path Finder

This works without SSL as well.

Here's my working config, it be of might help..

bindDN = CN=ldapquery,OU=Services,DC=test,DC=com
bindDNpassword = aPassword
charset = utf8
groupBaseDN = CN=SplunkAdmins,OU=Groups,DC=test,DC=com;CN=SplunkPowerUsers,OU=Groups,DC=test,DC=com;CN=SplunkUsers,OU=Groups,DC=test,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = testDC.test.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Users,OU=MyUsers,DC=test,DC=com
userNameAttribute = samaccountname

Highlighted

Re: Splunk LDAP authentication with Active Directory

Communicator

thanks for reply! This config is not working

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.