Re: Unable to authenticate with LDAP

jlkokko · ‎08-15-2019

I have connected my Splunk instance (on Linux) to LDAP and I get a successful bind. Additionally, I can map groups and assign roles. I can locate my userID assign it the admin role but still can not authenticate.

If I can find my ID and assign roles to it, why can I not authenticate?

mdsnmss · ‎08-15-2019

Are you assigning LDAP groups that contain nested groups/users to Splunk roles? There is an additional setting to allow for traversing nested groups that if you don't have enabled it will see the group as not having any users. There is a blog on this here: https://www.splunk.com/blog/2012/02/23/splunk-and-nested-groups-for-authorization.html.

The setting you would have to update is in your authentication.conf and you would need to add nestedGroups=1. Additionally, the OU where the user resides has to be visible to Splunk as well.

When you look at authentication.conf and it says "DO NOT EDIT", I would guess you are looking at $SPLUNK_HOME/etc/system/default/authentication.conf. You should never edit anything in the default directory but you can add your own settings in $SPLUNK_HOME/etc/system/local/authentication.conf. That is where the configurations you have made in the GUI will appear.

jlkokko · ‎08-15-2019

Thank you for pointing out the correct conf location. One thing I've just noticed in the logs:

08-15-2019 12:43:46.021 -0500 ERROR
AuthenticationManagerLDAP - Couldn't
find matching groups for
user="jkokko". Search
filter="(memberof=CN=Kokko\5C,
Jon,OU=users,OU=Enterprise,DC=company,DC=net,DC=local)"
strategy="LDAP"

My user ID is showing up under groups but does not show up under users, Since I'm pointing to the root DN, it should be finding several thousand users.

Here is my config:

[authentication]
authSettings = LDAP
authType = LDAP

[roleMap_FNC]
admin = Kokko, Jon

[LDAP]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=user,OU=Resource Accounts,OU=Enterprise,DC=company,DC=net,DC=local
bindDNpassword = hashvalue
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = DC=company,DC=net,DC=local
groupMappingAttribute = dn
groupMemberAttribute = memberof
groupNameAttribute = cn
host = ldap.fnc.net.local
nestedGroups = 0
network_timeout = -1
pagelimit = -1
port = 3268
realNameAttribute = displayname
sizelimit = 4500
timelimit = 29
userBaseDN = DC=company,DC=net,DC=local
userNameAttribute = samaccountname
nestedGroups=1

All of the above seems straight forward...

mdsnmss · ‎08-15-2019

When trying to authenticate does it take a while to fail or does it fail immediately? When mapping to large DNs there can be issues with retrieving a large number of groups/users so I'm curious if it could be hitting the timelimit. If it fails immediately then it likely isn't that.

jlkokko · ‎08-15-2019

It fails immediately. I've updated the baseDN for the users (pointing directly to the users group) and I'm not retrieving any users. I can run the exact query with ldapsearch and I get results:

ldapsearch -x -h ldaphostname -p 3268 -b 'OU=users,OU=enterprise,DC=company,DC=net,DC=local'
-D "binduser" -w bindpassword samaccountname=jkokko

This query returns results for me just fine so I'm perplexed as to why splunk doesn't pull in any users.

mdsnmss · ‎08-15-2019

It looks like in your configs you have nestedGroups repeated with different values. I believe the 1 will take precedence since it comes last but may be wrong. Also, give changing the value of groupMemberAttribute to member instead of memberof and then reload the authentication configuration and give it another shot.

jlkokko · ‎08-15-2019

I did catch that duplicate listing and removed it. I'm pulling groups ok but still, no users. I found a group that I am a member of, gave it admin privileges and still can't log in.

mdsnmss · ‎08-15-2019

Did you reload the authentication configuration after mapping the group to the role? Sometimes it needs that for the changes to propagate. It's Settings-->Access Controls-->Authentication Method-->Reload authentication configuration

jlkokko · ‎08-15-2019

Yeah...tried that. No go. Noticed this in the logs though:

Skipping dynamic group "group name" with no values for member attribute.

Instance is still not seeing users 😕

Sukisen1981 · ‎08-15-2019

any errors , any text in splunkd logs?

jlkokko · ‎08-15-2019

I've put the ldap logging in Debug mode but nothing helpful shows up other than

08-15-2019 10:26:52.122 -0500 ERROR
UserManagerPro - LDAP Login failed,
could not find a valid user="jkokko"
on any configured servers

Adding to the confusion, I'm experiencing inconsistencies when I change the baseDN. For example, I've updated it to include an additional OU to limit scope and it no longer finds my ID even though I'm part of that OU. On top of that, it pulls in users and groups and assigns them the admin role!

I've configured LDAP for a dozen of our applications and I am really confused on this. Side note: I'm familiar ldapsearch and have no issues running queries.

Sukisen1981 · ‎08-15-2019

this seems very confusing and well , is hard to replicate.have you gone through the forum for some previous answers?

https://answers.splunk.com/answers/50175/ldap-authentication-troubleshooting-information.html
https://answers.splunk.com/answers/9720/user-unable-to-access-splunk-using-ldap-authentication.html

the first one has some very,very detailed guide (not in the answer) but in a post below that

jlkokko · ‎08-15-2019

Yes - I've been all over those posts. I'm assuming those are for older versions because my authentication.conf file states "DO NOT EDIT" at the top so I'm just using the UI.

I have now updated the User base DN to the root of the domain and it finds 0 users. It only finds 38 groups and gives them the admin role.

Unable to authenticate with LDAP

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life