Security
Highlighted

Unable to authenticate with LDAP

Path Finder

I have connected my Splunk instance (on Linux) to LDAP and I get a successful bind. Additionally, I can map groups and assign roles. I can locate my userID assign it the admin role but still can not authenticate.

If I can find my ID and assign roles to it, why can I not authenticate?

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

Champion

any errors , any text in splunkd logs?

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

Path Finder

I've put the ldap logging in Debug mode but nothing helpful shows up other than

08-15-2019 10:26:52.122 -0500 ERROR
UserManagerPro - LDAP Login failed,
could not find a valid user="jkokko"
on any configured servers

Adding to the confusion, I'm experiencing inconsistencies when I change the baseDN. For example, I've updated it to include an additional OU to limit scope and it no longer finds my ID even though I'm part of that OU. On top of that, it pulls in users and groups and assigns them the admin role!

I've configured LDAP for a dozen of our applications and I am really confused on this. Side note: I'm familiar ldapsearch and have no issues running queries.

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

Champion

this seems very confusing and well , is hard to replicate.have you gone through the forum for some previous answers?

https://answers.splunk.com/answers/50175/ldap-authentication-troubleshooting-information.html
https://answers.splunk.com/answers/9720/user-unable-to-access-splunk-using-ldap-authentication.html

the first one has some very,very detailed guide (not in the answer) but in a post below that

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

Path Finder

Yes - I've been all over those posts. I'm assuming those are for older versions because my authentication.conf file states "DO NOT EDIT" at the top so I'm just using the UI.

I have now updated the User base DN to the root of the domain and it finds 0 users. It only finds 38 groups and gives them the admin role.

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

SplunkTrust
SplunkTrust

Are you assigning LDAP groups that contain nested groups/users to Splunk roles? There is an additional setting to allow for traversing nested groups that if you don't have enabled it will see the group as not having any users. There is a blog on this here: https://www.splunk.com/blog/2012/02/23/splunk-and-nested-groups-for-authorization.html.

The setting you would have to update is in your authentication.conf and you would need to add nestedGroups=1. Additionally, the OU where the user resides has to be visible to Splunk as well.

When you look at authentication.conf and it says "DO NOT EDIT", I would guess you are looking at $SPLUNKHOME/etc/system/default/authentication.conf. You should never edit anything in the default directory but you can add your own settings in $SPLUNKHOME/etc/system/local/authentication.conf. That is where the configurations you have made in the GUI will appear.

Highlighted

Re: Unable to authenticate with LDAP

Path Finder

Thank you for pointing out the correct conf location. One thing I've just noticed in the logs:

08-15-2019 12:43:46.021 -0500 ERROR
AuthenticationManagerLDAP - Couldn't
find matching groups for
user="jkokko". Search
filter="(memberof=CN=Kokko\5C,
Jon,OU=users,OU=Enterprise,DC=company,DC=net,DC=local)"
strategy="LDAP"

My user ID is showing up under groups but does not show up under users, Since I'm pointing to the root DN, it should be finding several thousand users.

Here is my config:

[authentication]
authSettings = LDAP
authType = LDAP

[roleMap_FNC]
admin = Kokko, Jon

[LDAP]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=user,OU=Resource Accounts,OU=Enterprise,DC=company,DC=net,DC=local
bindDNpassword = hashvalue
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = DC=company,DC=net,DC=local
groupMappingAttribute = dn
groupMemberAttribute = memberof
groupNameAttribute = cn
host = ldap.fnc.net.local
nestedGroups = 0
network_timeout = -1
pagelimit = -1
port = 3268
realNameAttribute = displayname
sizelimit = 4500
timelimit = 29
userBaseDN = DC=company,DC=net,DC=local
userNameAttribute = samaccountname
nestedGroups=1

All of the above seems straight forward...

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

SplunkTrust
SplunkTrust

When trying to authenticate does it take a while to fail or does it fail immediately? When mapping to large DNs there can be issues with retrieving a large number of groups/users so I'm curious if it could be hitting the timelimit. If it fails immediately then it likely isn't that.

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

Path Finder

It fails immediately. I've updated the baseDN for the users (pointing directly to the users group) and I'm not retrieving any users. I can run the exact query with ldapsearch and I get results:

ldapsearch -x -h ldaphostname -p 3268 -b 'OU=users,OU=enterprise,DC=company,DC=net,DC=local'
-D "binduser" -w bindpassword samaccountname=jkokko

This query returns results for me just fine so I'm perplexed as to why splunk doesn't pull in any users.

0 Karma
Highlighted

Re: Unable to authenticate with LDAP

SplunkTrust
SplunkTrust

It looks like in your configs you have nestedGroups repeated with different values. I believe the 1 will take precedence since it comes last but may be wrong. Also, give changing the value of groupMemberAttribute to member instead of memberof and then reload the authentication configuration and give it another shot.

0 Karma