Security

Splunk ldap

sushma6
New Member

Hi,

I am trying to integrate Splunk with Ldap, and hence I entered the following set of information.

LDAP Strategy Name: ldap
Host: 192.127.44.155
Port: 389
Bind DN: CN=va230033,OU=Application Accounts,DC=corp,DC=ncr,DC=com
Bind DN password: xxxxxx
User base DN: dc=corp,dc=ncr,dc=com
User name attribute: samaccountname
Real name attribute: displayname
Group mapping attribute: dn
Group base DN: dc=corp,dc=ncr,dc=com
Group name attribute: cn
Static member attribute: member

When i created a ldap with the above settings, i received the following error: ldap server warning: size limi exceeded. Not only this once done, when I try to map groups i could not find the groups that I want. So as to make search more refinable, I even included the following filter: (&(objectCategory=group) (cn=sweng*)) under User base filter.

Doing so did not help me, still I could not retrieve the group that I require and still the error persists.

Thanks,
Sushma.

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

How about increasing the size of this parameter?
Advanced settings -> Search request size limit

•Search request size limit
◦To avoid performance-related issues, you can set the search request size limit. Splunk will then request that the LDAP server return the specified maximum number of entries in response to a search request. In a large deployment with millions of users, setting this limit to a high value could result in a long response, depending on the search filter set in the LDAP strategy configuration. If this limit is reached, splunkd.log should contain a size limit exceeded message.
◦You should set the search request time limit and search request size limit values in conjunction with the splunkweb timeout property, described in "Configure user session timeouts". If you have a group that is not showing up in the Splunk console, it was likely excluded due to one of these limits. Tune these properties as needed.
◦To set the request size limit higher than 1000, you must also edit max_users_to_precache in limits.conf to accomodate the number of users you set for your request size limit.

http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/ConfigureLDAPwithSplunkWeb

View solution in original post

0 Karma

HiroshiSatoh
Champion

How about increasing the size of this parameter?
Advanced settings -> Search request size limit

•Search request size limit
◦To avoid performance-related issues, you can set the search request size limit. Splunk will then request that the LDAP server return the specified maximum number of entries in response to a search request. In a large deployment with millions of users, setting this limit to a high value could result in a long response, depending on the search filter set in the LDAP strategy configuration. If this limit is reached, splunkd.log should contain a size limit exceeded message.
◦You should set the search request time limit and search request size limit values in conjunction with the splunkweb timeout property, described in "Configure user session timeouts". If you have a group that is not showing up in the Splunk console, it was likely excluded due to one of these limits. Tune these properties as needed.
◦To set the request size limit higher than 1000, you must also edit max_users_to_precache in limits.conf to accomodate the number of users you set for your request size limit.

http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/ConfigureLDAPwithSplunkWeb

0 Karma

sushma6
New Member

I could do it myself changed the Group mapping attribute to dn instead of memberof and now I could login with the LDAP credentials.

0 Karma

sushma6
New Member

yes after mapping the group, I assigned admin role to all the users in that group, there are 10 users in that group and I gave each of them admin rights, even i am included in that group. Once done i tried to login with the LDAP credentials, but it is showing as Invalid username and password.

0 Karma

HiroshiSatoh
Champion

You need to be added to the group (user role, for example) role with login privileges.

0 Karma

sushma6
New Member

Yes,now i am able to view the groups that I required, but not able to login to the SPLUNK using the users belonging to that group. Is there anything else that I need to do?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...