Why are some LDAP groups not being mapped to Splunk roles?

New Member

We are using Splunk 6.3.2 with a LDAP strategy (FreeIPA) which contains the following users and groups:

  • User "joe" is member of group "app_splunk_user"
  • Group "app_splunk_admin" is also member of group "app_splunk_user"
  • User "mike" is member of group "app_splunk_admin"

In other words:

  • "joe" -> "app_splunk_user" (maps to role "user")
  • "mike" -> "app_splunk_admin" (maps to role "admin") -> "app_splunk_user" (maps to role "user")

Splunk's user database shows only "mike" with the role "admin". The role "user" will never be used, even not for "mike". "joe" doesn't appear as well.

This is our configuration:

authSettings = freeipa
authType = LDAP

admin = app_splunk_admin
user = app_splunk_user

SSLEnabled = 0
anonymous_referrals = 0
bindDN = uid=splunk,cn=users,cn=accounts,dc=example,dc=com
bindDNpassword = topsecret
charset = utf8
emailAttribute = mail
groupBaseDN = cn=groups,cn=accounts,dc=example,dc=com
groupBaseFilter = (cn=app_splunk_*)
groupMappingAttribute = memberof
groupMemberAttribute = member
groupNameAttribute = cn
host =
nestedGroups = 1
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = cn=users,cn=accounts,dc=example,dc=com
userBaseFilter = (memberOf=cn=app_splunk_user,cn=groups,cn=accounts,dc=example,dc=com)
userNameAttribute = uid

These two lines from splunkd.log are interesting (sizelimit is "1000" at both ends, but Splunk still sends LDAP subtree requests with a sizelimit of 1):

01-20-2016 17:00:04.725 +0100 WARN  ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=users,cn=accounts,dc=example,dc=com". reason="Size limit exceeded"
01-20-2016 17:00:04.729 +0100 WARN  ScopedLDAPConnection - strategy="freeipa" LDAP Server returned warning in search for DN="cn=groups,cn=accounts,dc=example,dc=com". reason="Size limit exceeded"
0 Karma

Splunk Employee
Splunk Employee

Is there more than 1000 users in the Base DN you have configured?
The error in SplunkD log looks like its searching your BASE DN of CN="cn=users,cn=accounts,dc=example,dc=com" and maybe not using the filter at all?

Size Limit Exceeded is an LDAP server error indicating that the search request was unable to return all entries due to a limit. The problem encountered is that the users or groups you are looking for may have been in the 1001+ entries and are not being returned.

In AD, the default size limit is typically 1000 entries. The LDAP server error is usually followed by an error indicating the number of entries returned which is a few entries less than the actual size limit. There is nothing you can do to change this limit unless you are the LDAP server administrator.

In Splunk, you can use filters to reduce the number of LDAP entries returned so that you do not hit this limit. Is there a typo in your filter at all? This page has some good examples

Cheers Nick

0 Karma

New Member

I have less than 50 users and groups configured.

Just found some interesting new in Wireshark: One of the first LDAP search requests generated by Splunk sends a size limit of "1", which will be answered with "sizeLimitExceeded".

search request
search response

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!