Security

Splunk ldap

sushma6
New Member

Hi,

I am trying to integrate Splunk with Ldap, and hence I entered the following set of information.

LDAP Strategy Name: ldap
Host: 192.127.44.155
Port: 389
Bind DN: CN=va230033,OU=Application Accounts,DC=corp,DC=ncr,DC=com
Bind DN password: xxxxxx
User base DN: dc=corp,dc=ncr,dc=com
User name attribute: samaccountname
Real name attribute: displayname
Group mapping attribute: dn
Group base DN: dc=corp,dc=ncr,dc=com
Group name attribute: cn
Static member attribute: member

When i created a ldap with the above settings, i received the following error: ldap server warning: size limi exceeded. Not only this once done, when I try to map groups i could not find the groups that I want. So as to make search more refinable, I even included the following filter: (&(objectCategory=group) (cn=sweng*)) under User base filter.

Doing so did not help me, still I could not retrieve the group that I require and still the error persists.

Thanks,
Sushma.

Tags (1)
0 Karma
1 Solution

HiroshiSatoh
Champion

How about increasing the size of this parameter?
Advanced settings -> Search request size limit

•Search request size limit
◦To avoid performance-related issues, you can set the search request size limit. Splunk will then request that the LDAP server return the specified maximum number of entries in response to a search request. In a large deployment with millions of users, setting this limit to a high value could result in a long response, depending on the search filter set in the LDAP strategy configuration. If this limit is reached, splunkd.log should contain a size limit exceeded message.
◦You should set the search request time limit and search request size limit values in conjunction with the splunkweb timeout property, described in "Configure user session timeouts". If you have a group that is not showing up in the Splunk console, it was likely excluded due to one of these limits. Tune these properties as needed.
◦To set the request size limit higher than 1000, you must also edit max_users_to_precache in limits.conf to accomodate the number of users you set for your request size limit.

http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/ConfigureLDAPwithSplunkWeb

View solution in original post

0 Karma

HiroshiSatoh
Champion

How about increasing the size of this parameter?
Advanced settings -> Search request size limit

•Search request size limit
◦To avoid performance-related issues, you can set the search request size limit. Splunk will then request that the LDAP server return the specified maximum number of entries in response to a search request. In a large deployment with millions of users, setting this limit to a high value could result in a long response, depending on the search filter set in the LDAP strategy configuration. If this limit is reached, splunkd.log should contain a size limit exceeded message.
◦You should set the search request time limit and search request size limit values in conjunction with the splunkweb timeout property, described in "Configure user session timeouts". If you have a group that is not showing up in the Splunk console, it was likely excluded due to one of these limits. Tune these properties as needed.
◦To set the request size limit higher than 1000, you must also edit max_users_to_precache in limits.conf to accomodate the number of users you set for your request size limit.

http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/ConfigureLDAPwithSplunkWeb

0 Karma

sushma6
New Member

I could do it myself changed the Group mapping attribute to dn instead of memberof and now I could login with the LDAP credentials.

0 Karma

sushma6
New Member

yes after mapping the group, I assigned admin role to all the users in that group, there are 10 users in that group and I gave each of them admin rights, even i am included in that group. Once done i tried to login with the LDAP credentials, but it is showing as Invalid username and password.

0 Karma

HiroshiSatoh
Champion

You need to be added to the group (user role, for example) role with login privileges.

0 Karma

sushma6
New Member

Yes,now i am able to view the groups that I required, but not able to login to the SPLUNK using the users belonging to that group. Is there anything else that I need to do?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...