Security
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

Why are users from an LDAP Authenticated group not showing up?

vxb4892
Engager

We have created a group through our Active Directory team that contains ~6000 users. We have mapped this group through LDAP authentication on a single Splunk instance as we would normally do with any other AD group. However users that belong to this newly created group are unable to login.

If I check the settings for this user group the "LDAP Users" field is entirely blank. This occurrence only appears for this particular group, all others have their LDAP Users field populated appropriately. We have checked in the AD and all the users that should be in the group are correctly listed, but why are they not rendering in Splunk?

0 Karma

vxb4892
Engager

The issue addressed in this question was resolved with the assistance of a Splunk Support Case.

0 Karma

mh0712
New Member

Do you get a solution for this problem?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@vxb4892, To help future readers, please describe how you resolved the problem then accept the answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

pradeepkumarg
Influencer

Did you try reload auth? or restart splunk instance?
If you have groupBaseFilter defined, ensure the new group falls under those filters.

0 Karma

vxb4892
Engager

Yes we have reloaded authentication and restart the splunk instance. groupBaseFilter is defined and the group we are authenticating belongs to that definition.

0 Karma

pradeepkumarg
Influencer

anything in splunkd.log for failed authentication?

0 Karma

vxb4892
Engager

We have set logging for ScopedLDAPConnection to DEBUG and it looks as if the attributes are all being added and loading correctly however we do see a LDAP server warning: Size limit exceeded warning appear on the group mapping page.

Our AD team has set the LDAP size limit to 1000, which would explain why maybe we're not able to see the 6000 users coming through, but there is no pageSize value for us to set on the Splunk side, nor has setting the search size parameter or the max_users_to_precache parameter to anything higher than 1000 worked for us.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!