Security

Why are our LDAP logins getting assigned to the admin role?

Explorer

Hi,

I have been trying to debug this for over a month now. Also checked with other Splunk experts who are also stumped. Hence resorting to Splunk answers. I hope this has a simple answer.

I have a LDAP (AD) integrated Splunk with the following roles assigned to our LDAP security group "ONC-IntOps Splunk Viewers-gs" - user and viewers (dont ask why I need both). This worked great in that it allowed authorized users read access by just adding/removing them from the group... till last month :-(.

I don't know what changed but now every time an (LDAP) user logs in for the first time, she/he gets auto-assigned to user, viewers and ALSO admin roles! This is the role map configuration section of the authentication.conf. I swear - nothing more.

[roleMap_ActiveDirectory]
admin = abc123
user = ONC-IntOps Splunk Viewers-gs
viewers = ONC-IntOps Splunk Viewers-gs

Any idea why every user gets assigned the admin role?

Regards,
-Srinath

0 Karma
1 Solution

Explorer

I resolved the issue after some tinkering around.

Short answer: I had to fix the LDAP connection configuration to look at groups for authentication.

More details:
Somehow, the LDAP connection configuration was modified so that it was looking at individual users not groups (groupMappingAttribute, groupMemberAttribute and groupNameAttribute set to userNameAttribute value.)

Hence it was ignoring all settings assigning roles to the group (in the authentication.conf rolemap).

I am still not clear why Splunk by default assigned every user the admin role but the question is kind of moot now.

Thanks for all your inputs and suggestions.

View solution in original post

0 Karma

Explorer

I resolved the issue after some tinkering around.

Short answer: I had to fix the LDAP connection configuration to look at groups for authentication.

More details:
Somehow, the LDAP connection configuration was modified so that it was looking at individual users not groups (groupMappingAttribute, groupMemberAttribute and groupNameAttribute set to userNameAttribute value.)

Hence it was ignoring all settings assigning roles to the group (in the authentication.conf rolemap).

I am still not clear why Splunk by default assigned every user the admin role but the question is kind of moot now.

Thanks for all your inputs and suggestions.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi @skashyap. When I used LDAP, the list of users needed to be semicolon separated: not space or comma separated. It's an odd syntax (I had a script to generate authentication.conf because of this)

See examples here
https://docs.splunk.com/Documentation/Splunk/7.2.3/Security/MapLDAPgroupsanduserstoSplunkroles

0 Karma

Explorer

Good point. In my authenticate.conf above, "ONC-IntOps Splunk Viewers-gs" is the full name of ONE group.

Does Splunk have an issue with spaces in the LDAP group name? Still curious.

0 Karma

Esteemed Legend

I suspect that you are mistaken; run /opt/splunk/bin/splunk btool authorize list --debug and /opt/splunk/bin/splunk btool authentication list --debug to be sure.

0 Karma

Explorer

I ran both and the values shown in the logs from both are what is set in the authorize and authentication conf files.
For example role_map stanza shows the values set - no sign of any unexpected role being assigned.

0 Karma

SplunkTrust
SplunkTrust

Total shot in the dark, but check for duplicate stanzas or any loose items that are not in a stanza in the authencation.conf file.

0 Karma

Explorer

No untoward items in the \Program Files\Splunk\etc\system\local\authentication.conf at least. Any other files\settings that could be affecting this?

0 Karma