We have created a group through our Active Directory team that contains ~6000 users. We have mapped this group through LDAP authentication on a single Splunk instance as we would normally do with any other AD group. However users that belong to this newly created group are unable to login.
If I check the settings for this user group the "LDAP Users" field is entirely blank. This occurrence only appears for this particular group, all others have their LDAP Users field populated appropriately. We have checked in the AD and all the users that should be in the group are correctly listed, but why are they not rendering in Splunk?
The issue addressed in this question was resolved with the assistance of a Splunk Support Case.
Do you get a solution for this problem?
@vxb4892, To help future readers, please describe how you resolved the problem then accept the answer.
Did you try reload auth? or restart splunk instance?
If you have groupBaseFilter defined, ensure the new group falls under those filters.
Yes we have reloaded authentication and restart the splunk instance. groupBaseFilter is defined and the group we are authenticating belongs to that definition.
anything in splunkd.log for failed authentication?
We have set logging for ScopedLDAPConnection to DEBUG and it looks as if the attributes are all being added and loading correctly however we do see a LDAP server warning: Size limit exceeded warning appear on the group mapping page.
Our AD team has set the LDAP size limit to 1000, which would explain why maybe we're not able to see the 6000 users coming through, but there is no pageSize value for us to set on the Splunk side, nor has setting the search size parameter or the max_users_to_precache parameter to anything higher than 1000 worked for us.