Why are some LDAP groups not being mapped to Splun...

jeigl · ‎01-20-2016

We are using Splunk 6.3.2 with a LDAP strategy (FreeIPA) which contains the following users and groups:

User "joe" is member of group "app_splunk_user"
Group "app_splunk_admin" is also member of group "app_splunk_user"
User "mike" is member of group "app_splunk_admin"

In other words:

"joe" -> "app_splunk_user" (maps to role "user")
"mike" -> "app_splunk_admin" (maps to role "admin") -> "app_splunk_user" (maps to role "user")

Splunk's user database shows only "mike" with the role "admin". The role "user" will never be used, even not for "mike". "joe" doesn't appear as well.

This is our configuration:

[authentication]
authSettings = freeipa
authType = LDAP

[roleMap_freeipa]
admin = app_splunk_admin
user = app_splunk_user

[freeipa]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = uid=splunk,cn=users,cn=accounts,dc=example,dc=com
bindDNpassword = topsecret
charset = utf8
emailAttribute = mail
groupBaseDN = cn=groups,cn=accounts,dc=example,dc=com
groupBaseFilter = (cn=app_splunk_*)
groupMappingAttribute = memberof
groupMemberAttribute = member
groupNameAttribute = cn
host = freeipa.example.com
nestedGroups = 1
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = cn=users,cn=accounts,dc=example,dc=com
userBaseFilter = (memberOf=cn=app_splunk_user,cn=groups,cn=accounts,dc=example,dc=com)
userNameAttribute = uid

These two lines from splunkd.log are interesting (sizelimit is "1000" at both ends, but Splunk still sends LDAP subtree requests with a sizelimit of 1):

01-20-2016 17:00:04.725 +0100 WARN  ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=users,cn=accounts,dc=example,dc=com". reason="Size limit exceeded"
01-20-2016 17:00:04.729 +0100 WARN  ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=groups,cn=accounts,dc=example,dc=com". reason="Size limit exceeded"

ncrofts_splunk · ‎01-20-2016

Is there more than 1000 users in the Base DN you have configured?
The error in SplunkD log looks like its searching your BASE DN of CN="cn=users,cn=accounts,dc=example,dc=com" and maybe not using the filter at all?

Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.

In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.

In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit. Is there a typo in your filter at all? This page has some good examples http://blogs.splunk.com/2009/10/01/ldap-basefilter-examples/

Cheers Nick

jeigl · ‎01-21-2016

I have less than 50 users and groups configured.

Just found some interesting new in Wireshark: One of the first LDAP search requests generated by Splunk sends a size limit of "1", which will be answered with "sizeLimitExceeded".

Why are some LDAP groups not being mapped to Splunk roles?

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!