Security

Use LDAP only for Authentication and Splunk internal roles for role management

newbie2tech
Communicator

Hi Team,

Wanted to check if any of you have used LDAP only for Authentication and then handled the roles using splunk internal roles management.

Documentation suggests we could do this by doing a config which tricks LDAP to treat each user as LDAP group.

http://docs.splunk.com/Documentation/Splunk/6.1.3/Security/MapLDAPgroupsanduserstoSplunkroles#Map_us...

IF you have implemented pls share details, pros and cons if any.

Also , in such imlementation, once the user is deleted in LDAP , then we would have to take care of removing the roles mapped to this deleted user on the splunk end right? If you could share insights on this.

0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @newbie2tech,

Yes I have implemented users to roles directly using Splunk doc link which you have provided, it converts user into group when splunk fetch user info from AD/LDAP which works good to control user level access instead of group level but there are cons.

  1. Splunk will throw warning message at certain interval that it took more than 5000 ms to fetch user info from AD/LDAP and due to this you will see lagging sometimes when try to login with AD/LDAP account.
  2. Due to lagging your schedule search will also run with delay because when schedule search will run splunk will query that user info from AD/LDAP and due to user to group conversion it might delay your scheduled search if your search heads are heavily used by scheduled searches.
  3. When user will be removed in AD/LDAP, it will not remove from authentication.conf configuration files and due to that you need to remove it manually. If you are running SHC then it will be annoying to manually remove that user from all SH, in this case you can use REST API but you need to write good script to achieve this.

In short if you have less number of users (<100) then I'll suggest to go with this route otherwise not but it still depends on many factors like SH resources, number of scheduled searches.

View solution in original post

0 Karma

harsmarvania57
Ultra Champion

Hi @newbie2tech,

Yes I have implemented users to roles directly using Splunk doc link which you have provided, it converts user into group when splunk fetch user info from AD/LDAP which works good to control user level access instead of group level but there are cons.

  1. Splunk will throw warning message at certain interval that it took more than 5000 ms to fetch user info from AD/LDAP and due to this you will see lagging sometimes when try to login with AD/LDAP account.
  2. Due to lagging your schedule search will also run with delay because when schedule search will run splunk will query that user info from AD/LDAP and due to user to group conversion it might delay your scheduled search if your search heads are heavily used by scheduled searches.
  3. When user will be removed in AD/LDAP, it will not remove from authentication.conf configuration files and due to that you need to remove it manually. If you are running SHC then it will be annoying to manually remove that user from all SH, in this case you can use REST API but you need to write good script to achieve this.

In short if you have less number of users (<100) then I'll suggest to go with this route otherwise not but it still depends on many factors like SH resources, number of scheduled searches.

0 Karma

newbie2tech
Communicator

Thank you harsmarvania57 for the details , great to hear its been implemented. Ours is SH cluster with 1200+ users & we are asked to work on this approach.

Have below questions, can you please shed more light on them

1) How did you map the users to the roles, is it using rest api or via splunk gui? Hope it is rest api. Also if needed i think we would be able to map the user to role from gui as well right?
2) Once the user is mapped to role, do you call some end point to refresh the authentication ? Hope refresh does not need restart of splunk instance.

On your cons #1 & #2 , is this not the case where we use LDAP groups instead of user as group? Also this delay is caused due to the user to group conversion part is it? How are listing these cons, did you compare?

On #3, if we use REST API, it is enough if we remove on the master and then the changes will be circulated to all the cluster members right?

Also can you please check below question of mine and let me know how you tackle it in your implementation.
https://answers.splunk.com/answers/738859/how-to-get-list-of-users-removed-from-ldap-but-are.html

0 Karma

harsmarvania57
Ultra Champion

Please find below answers

  1. You can go with both the approach , REST API and GUI. If you need to provide access to 1-2 users then it will fine using GUI but let's say you need to provide access to 20 users then REST API is best. When you use GUI and click on "Map Groups" it will display all UserID as groups in Splunk Web (Keep in mind that after user to group conversion those group names are case sensitive, For example after user to group conversion - group name will be A12345 and if you add a12345 in authentication.conf then it will not work).
  2. For authentication refresh, I have seen some anomaly. When I added user using REST API and reloaded (Refresh) authentication using Splunk Web, it refreshed on single SH in SH Cluster so sometimes I need to login to all SH members and need to refresh authentication (But this one I used on Splunk 6.x not on Splunk 7.x). Also I noticed that if you do not refresh authentication then at certain interval splunk automatically refresh in background and user will populate automatically on all SH members so if you are not in hurry to provide access to users then I guess reload/refresh is not require.

When you use LDAP groups to map with roles it is giving faster auth compare to group to user conversion and act that user as group, I don't have actual benchmark results for this but I have seen delay when we convert user to group.

When you use REST API, you need to fire that REST API on any single SH member in SH Cluster and it will automatically replicate configuration to other members in same SH cluster (I wrote script for this for one of the customer and script was using REST API and it was working fine to provide access but you need to provide access for each and every role(s), For exa. you have 100 roles then it was difficult to provide access to user(s) for all 100 roles, more development was needed for that script but I am no more working for that customer)

For your another question, we were running search to pull all users with roles once a week and ingesting those into summary index and after few hours another search runs on weekly basis to compare last 2 week results and if any users removed from LDAP then that scheduled search sent email to Splunk Admins and then Admin use that script to remove users from authentication.conf

0 Karma

newbie2tech
Communicator

@harsmarvania57 thank you very much for sharing such detailed inputs for each of the questions. Will reach back if i run into any issues with this implementation, please do keep an eye on this thread:). Apologies for delay in reverting back as i have been swarmed by other application issues and this task was off my radar for a while.

0 Karma

sbattista09
Contributor

You just have to map the LDAP groups to spunk roles, it works great in my experience. Only down side is if someone is pushing a role/mapping from the SHC Deployer and someone using the SHC GUI to apply/adds roles, this will cause issues and will remove all index access to the role that sees configs from the deployer and the local SHC configs.

its easy to run audits with Splunk rest commands.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...