Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk LDAP authentication, wrong filter?

lkamenov
Engager
‎07-06-2012 03:19 PM

Hey there,

I have been trying to figure out why Splunk can't authenticate against my OpenLDAP server. Current configuration looks like this:



SSLEnabled = 1

anonymous_referrals = 0

bindDN = cn=admin,ou=meta,dc=my,dc=example,dc=com

bindDNpassword = 

charset = utf8

groupBaseDN = ou=Group,dc=my,dc=example,dc=com

groupBaseFilter = (|(cn=GROUP1)(cn=GROUP2))

groupMappingAttribute = dn

groupMemberAttribute = memberuid

groupNameAttribute = cn

host = my.example.com

nestedGroups = 0

network_timeout = -1

port = 636

realNameAttribute = cn

sizelimit = 10000

timelimit = 29

userBaseDN = ou=People,dc=my,dc=example,dc=com

userBaseFilter = (objectClass=posixAccount)

userNameAttribute = uid

Groups are mapped correctly (GROUP1 and GROUP2), but the users within these groups cannot authenticate. I have been looking at the LDAP logs and I can see these filters:

This specific ones, successfully gets the user data.

conn=379662 op=1 SRCH base="ou=People,dc=my,dc=example,dc=com" scope=2 deref=0 filter="(&(uid=USERNAME)(objectClass=posixAccount)(cn=*))"

Now this one is generated to look for the groups that this specific user is a member of:

conn=379662 op=2 SRCH base="ou=Group,dc=my,dc=example,dc=com" scope=2 deref=0 filter="(&(memberUid=uid=USERNAME,ou=people,dc=my,dc=example,dc=com)(|(cn=GROUP1)(cn=GROUP2))(cn=*))"

But it returns nothing, so user is not logged in, so essentially the filter does not work.

However this filter works: 

(&(memberUid=lkamenov)(|(cn=GROUP1)(cn=GROUP2))(cn=*))

Anyone have an idea what could be going wrong exactly? Would appreciate any help!

Thank you
Lou

Tags (2)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-06-2012 06:41 PM

Within your group definitions, does memberUid refer to a WHOLE DN, or just the 'short name'?

Your examples suggest that the members of groups are referred to by just the uid=lkamenov attribute and not the entire uid=lkamenov,ou=people,dc=my,dc=example,dc=com.

Based on your examples, I would suggest setting

groupMappingAttribute = uid

In your authentication.conf. This (should) make Splunk use the "simple" uid attribute instead of the whole DN for purposes of group matching.

Note, however, that this makes group memebership ambiguous when the same uid exists in multiple OU's. ( Meaning uid=lkamenov,ou=people,dc=my,dc=domain,dc=com and uid=lkamenov,ou=otherpeople,dc=my,dc=domain,dc=com would both match the group membership attribute of uid=lkamenov)

0 Karma
Reply

lkamenov
Engager
‎07-17-2012 03:52 PM

I used the full DN and that worked nicely. Thanks for the help!

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-16-2012 08:25 AM

Did this solve your issue? An update would be appreciated.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...